📦

审计历史

product-launch-video - 2 审计

审计版本 2

高风险问题 (3)

SKILL.md:26-28 scripts/audio.mjs:71-85 scripts/assemble-index.mjs:78-92

External Command Execution Across the Workflow

The skill instructs the agent to run HyperFrames CLI commands and includes Node scripts that spawn other processes such as the shared audio engine, ffprobe, and ffmpeg. This is expected for video generation, but it gives the skill significant execution capability on the host system.

SKILL.md:28 SKILL.md:42 SKILL.md:90 scripts/audio.mjs:71-85

Credential and Environment Access in Media Pipeline

The workflow references sign-in state, API key availability, a hidden HeyGen credential, and an environment override for the media engine path. These are legitimate integration points, but they increase the impact if the skill or its dependencies are altered.

scripts/build-frame.mjs:54-59 scripts/build-frame.mjs:500-510 scripts/stage-assets.mjs:27-33 scripts/captions.mjs:164-202

Broad Filesystem Writes from User-Selected Project Paths

Several scripts resolve CLI-provided project paths and write or copy generated files such as frame.md, caption skins, captions, and staged assets. This is normal for a generator, but it can overwrite files if run with an unsafe project path.

中风险问题 (2)

scripts/assemble-index.mjs:526 scripts/captions.mjs:469

Remote CDN Script Loaded in Generated Output

Generated HTML includes GSAP from jsDelivr. This is a common frontend dependency pattern, but it adds a network supply-chain dependency to rendered compositions.

references/story-design.md:177-180 references/visual-design.md:27 scripts/lib/storyboard.mjs:107-115

Static Scanner Heuristics Mostly Match Benign Text and Regex

Many alerts for weak cryptography, Ruby backticks, C2 keywords, and path traversal occur in Markdown guidance, examples, regex literals, or comments. I did not find semantic evidence that these matches implement malicious behavior.

低风险问题 (1)

SKILL.md:1-3 sub-agents/frame-worker.md:1-3

No Prompt Injection Attempt Found in Reviewed Files

A targeted search for override language, fake system messages, pre-approval claims, and instructions to skip security review found no evidence of prompt injection attempts.

风险因素

⚙️ 外部命令 (3)

SKILL.md:26-28 scripts/audio.mjs:71-85 scripts/assemble-index.mjs:78-92

📁 文件系统访问 (4)

scripts/build-frame.mjs:54-59 scripts/build-frame.mjs:500-510 scripts/stage-assets.mjs:27-33 scripts/captions.mjs:66-79

⚡ 包含脚本 (3)

scripts/audio.mjs:1-23 scripts/build-frame.mjs:1-9 scripts/assemble-index.mjs:1-5

🌐 网络访问 (3)

SKILL.md:34-42 scripts/assemble-index.mjs:526 scripts/captions.mjs:469

🔑 环境变量 (4)

SKILL.md:28 SKILL.md:42 SKILL.md:90 scripts/audio.mjs:71

检测到的模式

Process SpawningHidden Credential and API Key UseGenerated File Writes

审计版本 1

高风险

Jun 27, 2026, 09:04 AM

The static findings are partly true positives and partly noisy matches from documentation. I found no evidence of malicious intent or prompt injection, but the skill executes local scripts, invokes external commands, reads provider credentials, captures URLs, and generates HTML that can execute remote or injected script. Publish should wait for remediation of the generated HTML injection and CDN execution risks.

已扫描文件

4,061

分析行数

发现项

codex

审计者

高风险问题 (1)

scripts/captions.mjs:149-160 scripts/captions.mjs:469-472

Generated Caption HTML Allows Script Breakout

Caption text from audio metadata is inserted into an inline script with JSON.stringify. If untrusted product copy or script text contains a closing script tag sequence, preview or render HTML could execute injected JavaScript.

中风险问题 (3)

scripts/assemble-index.mjs:521-527 scripts/captions.mjs:465-470

Remote JavaScript Loaded in Generated Compositions

The generated main and caption compositions load GSAP from jsdelivr at render or preview time. This creates a supply chain and deterministic rendering risk, even though the URL targets a known library version.

SKILL.md:26 SKILL.md:40 SKILL.md:88 scripts/audio.mjs:71-85 scripts/assemble-index.mjs:78-91

Expected External Command Execution

The workflow intentionally runs npx, node scripts, ffprobe, ffmpeg, and a media engine selected by HF_MEDIA_ENGINE. This is normal for HyperFrames video production, but it increases local execution risk for a community skill.

SKILL.md:42 SKILL.md:90 scripts/audio.mjs:71

Credential and Provider Environment Access

The skill uses provider keys for capture and the HeyGen credential for audio services. This appears legitimate, but users should know secrets may be read by the broader HyperFrames media pipeline.

低风险问题 (2)

references/cut-catalog.md:3 references/motion-language.md:3 references/story-design.md:179 references/visual-design.md:3

Documentation Tokens Triggered Many Static False Positives

Most weak crypto, path traversal, system reconnaissance, and Ruby backtick alerts in reference markdown are motion-design vocabulary, relative documentation links, CSS values, or prose examples. These are not executable security behavior by themselves.

scripts/build-frame.mjs:501-510 scripts/captions.mjs:164-202 scripts/lib/assets.mjs:37-45

Project File Writes Are Broad but Expected

The scripts write frame.md, captions, assets, and index.html under the selected HyperFrames project. This is required for the workflow, but the user should run it only in an intended project directory.

风险因素

⚙️ 外部命令 (5)

SKILL.md:26 SKILL.md:40 SKILL.md:88 scripts/audio.mjs:85 scripts/assemble-index.mjs:78-91

📁 文件系统访问 (4)

scripts/build-frame.mjs:501-510 scripts/captions.mjs:164-202 scripts/lib/assets.mjs:37-45 scripts/stage-assets.mjs:30-33

⚡ 包含脚本 (5)

scripts/build-frame.mjs:1 scripts/audio.mjs:1 scripts/captions.mjs:1 scripts/assemble-index.mjs:1 scripts/transitions.mjs:1

🌐 网络访问 (5)

SKILL.md:26 SKILL.md:40 SKILL.md:90 scripts/assemble-index.mjs:526 scripts/captions.mjs:469

🔑 环境变量 (3)

SKILL.md:42 SKILL.md:90 scripts/audio.mjs:71

检测到的模式

Inline Script Data InjectionEnvironment-Selected Engine ExecutionRemote CDN Script Execution

← 返回技能