ai-video-gen
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFE
Full Analysis
- [Command Execution] (SAFE): The scripts use
subprocess.runwith argument lists (rather than shell strings) to invoke FFmpeg for video assembly and audio mixing. This approach effectively mitigates shell injection risks. - [Data Exposure] (SAFE): API keys for services like OpenAI, LumaAI, and Replicate are correctly handled via environment variables and
.envfiles. Documentation uses safe placeholders (e.g.,sk-...) rather than hardcoded secrets. - [External Downloads] (SAFE): The skill performs network requests to download generated media from trusted AI providers (OpenAI, Replicate, LumaAI) which is essential to its primary function.
- [Indirect Prompt Injection] (LOW):
- Ingestion points: User-provided text prompts and voiceover text enter the system via CLI arguments.
- Boundary markers: Not present, as prompts are directly forwarded to AI APIs.
- Capability inventory: Subprocess execution (FFmpeg) and network requests (API calls and media downloads).
- Sanitization: No explicit sanitization of prompt text is performed; however, the impact is limited to the content of the generated media rather than the security of the host system.
Audit Metadata