Trust Assessment
video-editing received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via LLM-generated shell commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 20, 2026 (commit 9a478ad6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via LLM-generated shell commands The skill's workflow explicitly instructs the host LLM (Claude/Codex) to 'Scaffold FFmpeg and Remotion code' based on user input. The document then provides examples of `ffmpeg` and `npx remotion` shell commands. If the LLM directly incorporates unsanitized user input into these generated shell commands, it creates a high risk of command injection, allowing an attacker to execute arbitrary commands on the host system where the agent operates. Implement robust input validation and sanitization for all user-provided data before it is used to generate or execute shell commands. Ensure that the LLM is explicitly instructed and capable of properly escaping special characters in shell commands. Consider using safer alternatives to direct shell execution where possible, such as dedicated libraries or APIs that handle arguments securely, rather than constructing raw shell commands from user input. | Static | SKILL.md:50 |
Scan History
Embed Code
[](https://skillshield.io/report/5cec6bc495bc9c34)
Powered by SkillShield