tuzi-short-video
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill attempts to locate a sensitive API key (
TUZI_API_KEY) by searching through environment files in both the local project and the user's home directory (.tuzi-skills/.envand$HOME/.tuzi-skills/.env). - [COMMAND_EXECUTION]: The skill executes external scripts using
npx -y bun. The target script path (main.ts) is determined dynamically by resolving the location of a dependent skill (tuzi-video-gen), which constitutes dynamic loading from a computed path. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted user content (text, articles, or descriptions) and transforms it into visual prompts for a video generation model without sanitization or protective boundary markers.
- Ingestion points: User input analysis in
SKILL.md(Step 1). - Boundary markers: None identified in the prompt generation logic.
- Capability inventory: Shell command execution via
npxinSKILL.md(Step 4). - Sanitization: No evidence of escaping or filtering for the generated video prompts.
Audit Metadata