The Agent Skills Directory

COMMAND_EXECUTION (LOW): The scripts generate_audio_edge.py and generate_audio_minimax.py use subprocess.run to execute ffprobe. While they use argument lists to prevent shell injection, the file paths are constructed using identifiers that may originate from untrusted user data.\n- DYNAMIC_EXECUTION (MEDIUM): The update_config function in scripts/generate_audio_minimax.py generates and writes a TypeScript file (src/audioConfig.ts) by interpolating data into a code template. The lack of escaping for fields such as 'title' and 'id' creates a risk of code injection that would be executed when the Remotion project is run or built.\n- EXTERNAL_DOWNLOADS (LOW): The skill documentation instructs users to install external tools and libraries, including ffmpeg and the Python package edge-tts. These represent dependencies on external, non-whitelisted sources.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted user instructions to generate video content and metadata. It lacks boundary markers and sanitization when interpolating this data into the Python/TypeScript generation pipeline (Ingestion: user prompts in script SCENES; Capabilities: subprocess calls, file writing, and network operations; Sanitization: none; Boundary markers: none).\n- DATA_EXFILTRATION (LOW): The skill communicates with the MiniMax API (api.minimax.io) and transmits an API key retrieved from environment variables. Although this is intended functionality, the domain is not on the whitelist for network operations.

remotion-video