video-translation
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
youtube-downloaderskill fromcrazynomad/skills, which is an unverified external source not included in the trusted vendor list. - [COMMAND_EXECUTION]: The workflow involves executing system commands including
ffmpegand various scripts (replace_audio.sh,tts.sh,download_video.py) with variables derived from user input and external sources. While scripts likereplace_audio.shuse best practices like double-quoting variables, the execution of unverified external scripts carries inherent risks. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during the subtitle translation phase.
- Ingestion points: Subtitle text (
.srt) sourced from external platforms inSKILL.md. - Boundary markers: Absent; the translation prompt lacks delimiters to separate untrusted text from instructions.
- Capability inventory: Execution of bash, python, and ffmpeg processes across the local filesystem.
- Sanitization: Absent; no validation or filtering is performed on the subtitle text before processing.
Audit Metadata