Skills
skills/postplusai/postplus-skills/image-batch-runner/Gen Agent Trust Hub

image-batch-runner

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes a script for downloading video assets via an external utility.
  • Evidence: _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs uses spawn to run python3 -m yt_dlp for video downloading tasks.
  • [EXTERNAL_DOWNLOADS]: The skill performs legitimate downloads of generated media from the vendor's infrastructure.
  • Evidence: scripts/generate_image.mjs and scripts/poll_prediction.mjs use the downloadFile function to save image outputs from remote URLs returned by the generation API.
  • [DATA_EXFILTRATION]: Local media files are uploaded to the vendor's API to facilitate image editing workflows.
  • Evidence: scripts/upload_media.mjs reads local file content into a buffer and transmits it to the hosted media-file service via a secure bridge.
  • [CREDENTIALS_UNSAFE]: The skill retrieves session tokens from the user's local configuration to authenticate with hosted services.
  • Evidence: _postplus_shared/00-core/shared-runtime/scripts/lib/postplus_cli_config.mjs reads the config.json file from OS-specific application support paths to access the cliSessionToken used for API authorization.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 06:37 AM