Skills
skills/wulaosiji/skills/zhuoran-video-selfie/Gen Agent Trust Hub

zhuoran-video-selfie

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The core logic file zhuoran_video_selfie.py contains a hardcoded API key (b9c67f3def268385bb9734970b11531f12ea24ae0d153859242e48ae46227668) used as a default value for the WaveSpeed AI service.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with the api.wavespeed.ai endpoint and downloads video content from URLs provided by the API response using the requests library in the download_video function.
  • [COMMAND_EXECUTION]: Both the main Python logic and the CLI entry point use subprocess.run to invoke a secondary script (feishu_video_sender.py). While arguments are passed as a list, user-supplied data such as target_id and caption are included in the command string, presenting a potential vector for command injection if the secondary script handles these arguments unsafely.
Recommendations
  • HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 02:24 AM