video-generation
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script video_core.py includes a test block that prints the first 10 characters of the WAVESPEED_KEY environment variable to the console, leading to partial credential exposure in execution logs.
- [COMMAND_EXECUTION]: The skill invokes the ffmpeg utility via subprocess.run for video frame extraction and concatenation. In scripts/generate_video_chain.py, it utilizes a hardcoded temporary file path /tmp/concat_list.txt, which can be insecure in shared environments due to predictability.
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to api.wavespeed.ai to upload media and download generated video files. While consistent with the skill's purpose, this is an external service communication.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Ingestion points: User-supplied prompt strings and media file paths in scripts/generate_hero_video.py and scripts/generate_video_chain.py. Boundary markers: None; prompts are directly interpolated into the API request payloads. Capability inventory: Subprocess execution (ffmpeg), network communication (requests), and file writing. Sanitization: No validation or escaping is performed on external inputs before processing.
Audit Metadata