remotion-synced-video
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): Multiple shell scripts (e.g., scripts/crawl_bing_hd.sh and variants v1-v5) contain a critical code injection vulnerability. They interpolate the $QUERY shell variable directly into a Python triple-quoted string within a python3 -c command. A crafted query can break out of the string and execute arbitrary Python code.\n
- Evidence: ENCODED_QUERY=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$QUERY'''))" 2>/dev/null || echo "$QUERY") in scripts/crawl_bing_hd.sh.\n- COMMAND_EXECUTION (MEDIUM): The scripts/generate_placeholder.js script uses child_process.execSync with unsanitized template literals to run ffmpeg. This allows for shell command injection if the scene ID is attacker-controlled.\n
- Evidence: execSync(
ffmpeg -i \"${ppmPath}\" -q:v 2 \"${outputPath}\" -y, ...) in scripts/generate_placeholder.js.\n- EXTERNAL_DOWNLOADS (LOW): The skill performs extensive automated web crawling and asset downloading from search engines and Unsplash using curl and agent-browser CLI. This involves interacting with non-whitelisted external domains and executing downloads on dynamically discovered URLs.\n - Evidence: curl execution in scripts/crawl_bing_hd.sh and agent-browser open commands in multiple crawler scripts.
Recommendations
- AI detected serious security threats
Audit Metadata