frigate-configurator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- COMMAND_EXECUTION (HIGH): The validation script
scripts/validate-config.shis vulnerable to command injection. \n - Evidence: File
scripts/validate-config.sh, line 37:python3 -c "import yaml; yaml.safe_load(open('$CONFIG_FILE'))". \n - Description: The
$CONFIG_FILEvariable is interpolated into a Python command string without sanitization. An attacker can execute arbitrary code by supplying a crafted filename (e.g.,config.yml'); import os; os.system('id') #) to the validation utility. This creates a significant risk if the agent is tasked with validating untrusted files. \n- CREDENTIALS_UNSAFE (LOW): Placeholder credentials are present in example configuration templates. \n - Evidence:
templates/config-minimal.ymlcontainsrtsp://admin:password@192.168.1.100:554/stream1. \n - Description: Hardcoded placeholder credentials are used in the provided examples, which is a security best practice violation that can lead to insecure deployments if not changed.
Recommendations
- AI detected serious security threats
Audit Metadata