lightx2v
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides various shell scripts in the scripts/ directory to manage interactions with the LightX2V API. These scripts utilize standard utilities such as curl, base64, jq, and python3 to execute network requests and process data. The install.sh script uses a Python heredoc to safely update the local configuration file with the user's API token.
- [DATA_EXFILTRATION]: The helper scripts include functionality to read local files and upload them to the vendor's API. The lightx2v_submit_and_poll.sh and voice_clone.sh scripts read local image and audio files, convert them to Base64 strings, and send them to the vendor's domain for processing. This mechanism is the primary way the skill handles user-provided media for generation tasks.
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to the vendor's cloud service at x2v.light-ai.top. It fetches available model lists, task statuses, and resulting media URLs.
- [PROMPT_INJECTION]: The skill contains instructions for managing character persona and dialogue flow. Best practices for sanitization are observed, with the inclusion of an escape_json function in the shell scripts to escape special characters in user prompts before transmission to the API.
Audit Metadata