Skills
skills/shuliuzhenhua-sys/shuliu-skills/sora-video/Gen Agent Trust Hub

sora-video

Warn

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill reads environment configuration from hidden files located at ~/.shuliu-skills/.env and ./.shuliu-skills/.env to retrieve the LNAPI_KEY used for authentication.
  • [DATA_EXFILTRATION]: The script scripts/main.ts permits reading any file from the filesystem through the --promptfiles and --image arguments. The contents of these files are then sent to the external service at https://lnapi.com, creating a risk of exfiltrating sensitive files like SSH keys or credentials if the agent is directed to access them.
  • [COMMAND_EXECUTION]: The skill's primary operation involves executing a local TypeScript script (scripts/main.ts) using the bun runtime environment.
  • [DATA_EXFILTRATION]: The skill possesses a vulnerability surface for indirect prompt injection due to its file-processing capabilities.
  • Ingestion points: Content from files specified via --promptfiles and --image in scripts/main.ts.
  • Boundary markers: Absent; file content is concatenated and sent directly to the API without delimiters or instructions to ignore embedded commands.
  • Capability inventory: Includes readFile (filesystem access), writeFile (filesystem write), and fetch (network transmission to an external domain).
  • Sanitization: None; the skill does not validate file paths or sanitize the content of the files before transmission.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 28, 2026, 02:51 AM