google-veo
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides installation guidance for the
infshCLI tool via a link to a GitHub repository (inference-sh/skills) and suggests adding related skills usingnpx. These resources are managed by the service provider and are standard for tool integration.\n- [COMMAND_EXECUTION]: Core functionality is implemented through the execution of theinfshcommand-line tool via the shell.\n- [PROMPT_INJECTION]: The skill processes user-supplied text to generate video prompts. This creates an indirect prompt injection surface, which is inherent to the intended use case of video generation.\n - Ingestion points: Prompt content passed to the
infsh app runcommand via the--inputJSON payload.\n - Boundary markers: No specific delimiters or boundary markers are defined in the provided instruction examples.\n
- Capability inventory: Shell command execution using the
infshCLI.\n - Sanitization: No explicit sanitization or input validation mechanisms are described within the skill's instructions.
Audit Metadata