image-to-video
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes ffmpeg and ffprobe using Python's subprocess.run. The implementation follows security best practices by passing arguments as a list and avoiding shell=True, which effectively prevents command injection vulnerabilities.
- [EXTERNAL_DOWNLOADS]: The documentation provides instructions for installing the ffmpeg utility via official, well-known package managers such as Homebrew (brew) and APT (apt). References to external tools are limited to these standard, trusted system utilities.
- [DATA_EXFILTRATION]: Analysis of the Python script and agent instructions confirms that all operations are performed locally. There are no network requests, and no attempts to access sensitive system files or credentials were found.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests user-provided media files and processes their names and metadata. While the script output is presented to the agent, the processing is handled through safe path manipulation and standard subprocess calls, presenting no significant surface for indirect injection attacks.
Audit Metadata