creative-qa
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches video assets from external URLs defined in manifest files using the yt-dlp tool.
- [COMMAND_EXECUTION]: Spawns python3 sub-processes to execute the yt_dlp module for media processing.
- [DATA_EXFILTRATION]: Transmits local media data to the vendor's hosted API for production generation tasks.
- [PROMPT_INJECTION]: Skill ingests untrusted data from manifest files (manifest.json) without boundary markers; capability inventory includes subprocess spawning and file writes in shared-runtime scripts; sanitization is absent for input fields like sourceId, presenting an indirect injection surface.
- [SAFE]: Maintains session-specific configuration and credentials in the user's home directory using standard CLI patterns.
Audit Metadata