shorts-video-maker
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The scripts
scripts/cut_shorts.py,scripts/transcribe.py, andscripts/download_video.pyuse thesubprocessmodule to execute external CLI tools includingffmpeg,ffprobe, andyt-dlp. - These calls are used to extract video dimensions, perform video cropping, extract audio, and handle video downloads.
- Arguments are passed as lists rather than strings, which mitigates standard shell injection risks.
- [EXTERNAL_DOWNLOADS]: The script
scripts/download_video.pyutilizes theyt-dlplibrary to fetch video content from YouTube URLs provided by the user. YouTube is a well-known service, and this behavior is core to the skill's stated purpose. - [EXTERNAL_DOWNLOADS]: The script
scripts/transcribe.pyuses theopenai-whisperlibrary, which automatically downloads pre-trained AI models from OpenAI's official servers upon first use. OpenAI is a trusted organization. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill processes media files locally in a
temp/directory. No evidence of unauthorized data transmission or hardcoded credentials was found. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (YouTube videos and transcriptions).
- Ingestion points: YouTube video content via
download_video.py, generated transcription JSON files, and markdown script files. - Boundary markers: None identified.
- Capability inventory: Execution of
ffmpegandyt-dlpvia subprocess. - Sanitization:
cut_shorts.pyuses regular expressions to parse time codes from markdown files, providing a basic layer of validation for extracted data.
Audit Metadata