video-coder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (SAFE): The skill requires the execution of a local Python script (.claude/skills/asset-creator/scripts/svg-path.py). This script is part of the skill's own internal assets and is used for geometric calculations, which is a standard pattern.
- Indirect Prompt Injection (LOW): The skill demonstrates a vulnerability surface for indirect prompt injection (Category 8) by interpolating design data into shell commands. Ingestion points: Untrusted JSON design specifications like 'path_params'. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the documentation. Capability inventory: The skill executes a local Python script via a subprocess call. Sanitization: The implementation relies on single-quoting JSON arguments in the shell command, which provides basic escaping but lacks thorough validation of the input content.
Audit Metadata