pellicule
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs external packages from the 'sailscastshq' GitHub organization (e.g., 'npx skills add sailscastshq/pellicule-skills', 'npm install pellicule'), which is not a pre-approved trusted source.
- [COMMAND_EXECUTION] (HIGH): The documentation explicitly instructs users to use 'sudo apt install ffmpeg' for installation on Linux, which promotes unnecessary privilege escalation.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill workflow involves an AI agent generating Vue code based on user prompts and then executing that code via 'npx pellicule'. This creates a significant surface for indirect prompt injection. 1. Ingestion point: User-provided video descriptions in README/Usage. 2. Boundary markers: None mentioned for generated code. 3. Capability: Command execution via npx and file system writes. 4. Sanitization: None provided for user input interpolated into components.
Recommendations
- AI detected serious security threats
Audit Metadata