Skills
skills/yonatangross/orchestkit/demo-producer/Gen Agent Trust Hub

demo-producer

Warn

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill dynamically generates bash scripts (demo-{name}.sh) and VHS tape files (.tape) based on metadata extracted from project files like SKILL.md and agent.md. These generated scripts are then executed using the Bash tool and terminal simulators. The extraction logic in scripts/generate.sh uses grep and cut without sanitizing the resulting strings, allowing potentially malicious commands embedded in metadata fields (e.g., name, description) to be executed during the recording process.
  • [REMOTE_CODE_EXECUTION]: The pipeline utilizes npx remotion and python generate.py (for Manim animations). These tools can fetch remote dependencies or execute code at runtime. Specifically, full-pipeline.sh executes Python scripts from a different skill directory (skills/video-production/scripts), introducing a cross-skill dependency risk where changes in one skill could impact the execution safety of another.
  • [PROMPT_INJECTION]: The SKILL.md includes instructions labeled as "CRITICAL" and "MANDATORY" regarding Task management. While designed to ensure progress tracking in complex workflows, the use of authoritative override language can be a pattern used to hijack agent priorities or bypass standard operational workflows.
  • [DATA_EXFILTRATION]: The skill is designed to read and analyze source code, configurations, and metadata across the codebase to produce demos. When combined with the lack of input sanitization in script generation, this creates an attack surface where sensitive information could be read and then exfiltrated via injected commands during the terminal simulation phase.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from other skills and agents.
  • Ingestion points: scripts/generate.sh reads content from SKILL.md, agent.md, and plugin.json files throughout the project.
  • Boundary markers: Absent. The skill reads files directly and extracts strings for immediate use in script templates without protective delimiters.
  • Capability inventory: Uses Bash for command execution, Write for script creation, and calls external CLI tools like vhs, asciinema, and manim.
  • Sanitization: Absent. Extracted metadata is directly interpolated into bash scripts, making it vulnerable to malicious instructions embedded in the processed project files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 17, 2026, 12:06 AM