videoagent-director
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Node.js script
tools/director.jsto perform image, video, and audio generation for each storyboard shot. - [DATA_EXFILTRATION]: The orchestration script performs network operations to external API proxies (
image-gen-proxy.vercel.app,pexo-video-deploy.vercel.app, andaudiomind-proxy.vercel.app) to process generation requests. These requests send internally generated prompts and user-provided image URLs to the vendor's hosted services. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection as it interpolates user-provided creative briefs into prompts for external AI models. \n
- Ingestion points: User-supplied project descriptions and potential external image URLs are processed in
SKILL.md. \n - Boundary markers: No explicit delimiters or safety instructions are used when passing user-derived content to the tool execution script. \n
- Capability inventory: The skill is capable of outbound network requests and local file system operations within the temporary directory for token management. \n
- Sanitization: The skill does not perform validation or sanitization of the user's intent before using it to construct tool parameters.
Audit Metadata