paw-cra-video-shortform
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: Potential command injection in production steps. In 'references/production.md', variables derived from user-provided scripts and briefs, such as 'visual_description' and 'voiceover_line', are interpolated directly into shell commands for the 'egaki' CLI and 'curl'. This allows an attacker to execute arbitrary system commands by including shell metacharacters in the input.
- [COMMAND_EXECUTION]: Risk of path traversal in file management. The skill constructs file system paths for exporting videos and manifests using the '{brand}' and '{topic-slug}' variables in 'references/validation-export.md'. Without validation, these inputs could be used to manipulate paths (e.g., using '../../') and overwrite files outside the intended directories.
- [COMMAND_EXECUTION]: Vulnerability in ffmpeg filter construction. The skill uses configuration values like '{brand_font}' within complex 'ffmpeg' subtitle filters. Maliciously crafted configuration data could lead to filter injection, potentially allowing unauthorized file access or unexpected process behavior.
Audit Metadata