video-frames
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/frame.shexecutes theffmpegbinary to extract frames from video files, which is the primary intended function of the skill.\n- [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of theffmpegformula via the Homebrew package manager, which is a well-known and trusted service.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface within thescripts/frame.shscript.\n - Ingestion points: The script takes several user-controlled inputs, including file paths (
in,out), a timestamp (time), and a frame index (index) via command-line arguments.\n - Boundary markers: No specific delimiters or boundary markers are implemented to prevent input from being interpreted as instructions by the underlying tool.\n
- Capability inventory: The script has the capability to execute a powerful command-line tool (
ffmpeg) with these user-provided inputs.\n - Sanitization: While shell variables are double-quoted to prevent basic shell word-splitting and globbing attacks, the script does not validate the content or format of the
timeandindexvariables before interpolating them into theffmpegcommand or filter strings.
Audit Metadata