video-subtitle-remover
Fail
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill downloads Python source code from a third-party repository and executes it on the local machine.
- Evidence: In
SKILL.md, acurlcommand fetches the file tree fromhttps://api.github.com/repos/YaoFANGUK/video-subtitle-remover/git/trees/main?recursive=1and pipes it to apython3script that downloads individual files to~/.opencode/tools/video-subtitle-remover/. - Execution: The skill later executes the downloaded code via
python3 ~/.opencode/tools/video-subtitle-remover/run_remove.py. - [EXTERNAL_DOWNLOADS]: The skill fetches multiple binary models and dependencies from external sources.
- Evidence: Downloads model weights (
.pth,.pdiparams) and configuration files directly fromraw.githubusercontent.com. - Evidence: Installs a large number of third-party Python packages using
pip3 install. - [COMMAND_EXECUTION]: The skill performs complex environment setup and file operations.
- Evidence: Creates directories in the hidden path
~/.opencode/. - Evidence: Modifies code logic at runtime using the
edittool to inject MPS support and path fixes intobackend/config.py. - Evidence: Uses
curlto fetch content andpython3to merge file segments locally.
Recommendations
- HIGH: Downloads and executes remote code from: https://api.github.com/repos/YaoFANGUK/video-subtitle-remover/git/trees/main?recursive=1 - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata