Skills
skills/yong-opus/opus-skills/opusclip/Gen Agent Trust Hub

opusclip

Pass

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The bundled script scripts/opusclip executes system commands including curl, jq, and ffmpeg to interact with the API and process media files. It also utilizes open or xdg-open to display generated HTML previews or storyboard images in the user's default browser or image viewer.
  • [EXTERNAL_DOWNLOADS]: The CLI fetches video preview files and project metadata from the official OpusClip API service at api.opus.pro. These files are temporarily stored in /tmp for local operations such as trimming or generating storyboards.
  • [PROMPT_INJECTION]: The preview command generates an HTML page by interpolating clip titles and descriptions from the API directly into a template without HTML sanitization. This creates a surface for indirect prompt injection (XSS) if malicious content is present in video metadata.
  • Ingestion points: API responses from https://api.opus.pro/api/exportable-clips processed in scripts/opusclip.
  • Boundary markers: None present.
  • Capability inventory: File system writes to /tmp, execution of open/xdg-open to launch a web browser.
  • Sanitization: Absent; the script uses direct bash string replacement for template variables.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 30, 2026, 03:25 AM