video-creator

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] No explicit malicious code is present in this SKILL.md. The skill's stated capabilities, CLI usage, file I/O, and output behavior are consistent with its purpose (image+audio→video). Primary concerns: (1) privacy leakage because TTS (edge-tts) and likely image-generation scripts will send user-provided text/images to remote services; (2) mandatory automatic appending of an outro (branding/QR code) could be undesirable for some users and should be made opt-outable and clearly documented. I find no evidence of obfuscation or credential harvesting in the provided document, but the referenced scripts and external endpoints should be audited to confirm there is no unexpected network proxying or third-party interception. LLM verification: The skill description and workflow are functionally coherent for automated video creation. The main risk stems from unpinned external dependencies and unvetted installation steps in the documentation. To reduce risk, pin all dependencies to known-good versions, source from trusted registries, segregate installation steps from runtime code (e.g., provide a controlled setup script or Dockerfile), and implement provenance checks for assets and model/data sources. If the installation steps are stric