Skills
skills/postplusai/postplus-skills/video-analysis/Gen Agent Trust Hub

video-analysis

Pass

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted video files and metadata from social media platforms.
  • Ingestion points: TikTok/Reels URLs and the corresponding downloaded video files are processed in scripts/run_video_analysis_batch.mjs.
  • Boundary markers: The Gemini prompt construction in buildPrompt does not utilize delimiters or specific instructions to the model to ignore potential instructions embedded in the video's content.
  • Capability inventory: The skill has permissions to execute shell commands (ffprobe, yt-dlp), read/write local files, and perform network requests to a hosted API.
  • Sanitization: No sanitization of video data or source metadata is performed before submission to the language model.
  • [COMMAND_EXECUTION]: The skill executes external tools yt-dlp and ffprobe via Node.js spawn and spawnSync. While these are necessary for the skill's stated purpose, they represent the execution of external binary code.
  • [EXTERNAL_DOWNLOADS]: The skill's core workflow involves downloading video content from external TikTok and Reels URLs.
Audit Metadata
Risk Level
SAFE
Analyzed
May 8, 2026, 06:37 AM