📦
审计历史
website-to-video - 2 审计
审计版本 2
最新 高风险Jun 30, 2026, 02:45 AM
Static analysis reported many command, network, filesystem, and credential patterns. Review found many markdown and regex false positives, but confirmed that the skill intentionally captures websites, handles API keys, calls third-party services, writes project artifacts, and runs local CLI commands. No prompt injection or confirmed malicious intent was found, so this is high risk rather than blocked.
13
已扫描文件
4,217
分析行数
13
发现项
codex
审计者
高风险问题 (3)
Credential Handling Guidance for External Services
The skill asks users to place Gemini, ElevenLabs, and HeyGen API keys in .env files or paste keys into chat. This is functional for TTS and image descriptions, but it creates credential exposure risk in shared workspaces and transcripts.
references/step-0-capture.md:13-23references/step-4-vo.md:79-87references/step-4-vo.md:100-118references/step-6-validate.md:130-146
Network Calls and Website Capture Workflow
The skill instructs agents to capture arbitrary user-supplied URLs and call external TTS APIs. Captured screenshots, page assets, narration text, and metadata may leave the local environment depending on the selected tools.
Broad Local File Creation and Project Artifact Access
The workflow creates and reads many local artifacts, including capture output, design files, transcripts, snapshots, rendered files, and composition HTML. This is expected for video generation, but it expands the filesystem access surface.
中风险问题 (2)
Local CLI Execution Required for Normal Operation
The skill depends on npx hyperframes commands, node scripts, curl examples, and validation tooling. The commands are mostly fixed workflow steps, but users should run them only in trusted projects.
Third-Party Licensed Audio Assets Bundled
The skill includes bundled sound effects and a credits file referencing the Pixabay license. This is not a code security issue, but users should verify license compatibility for commercial projects.
低风险问题 (3)
Static Analyzer False Positives from Markdown Backticks
Most Ruby backtick execution findings occur in markdown inline code, tables, command examples, or file names. They are documentation syntax, not executable Ruby code.
scripts/w2h-verify.mjs:9-10scripts/w2h-verify.mjs:242scripts/w2h-verify.mjs:410scripts/w2h-verify.mjs:510scripts/w2h-verify.mjs:634scripts/w2h-verify.mjs:690
Static Analyzer False Positives from JavaScript Regex exec Calls
The script findings labeled Python exec or process exec are JavaScript RegExp exec calls used for parsing text. The script also states it performs pure file analysis with no shell spawns.
No Prompt Injection Attempt Found in Reviewed Files
Targeted review did not find instructions claiming marketplace pre-approval, telling the evaluator to skip security analysis, or overriding system instructions. No evidence found for prompt injection in the reviewed files.
风险因素
⚙️ 外部命令 (4)
📁 文件系统访问 (3)
🔑 环境变量 (3)
检测到的模式
API Keys in Environment Files and HeadersCapture and Snapshot Commands May Process Sensitive Website ContentLocal Validation Script Reads Project HTML and Media Metadata
审计版本 1
中风险Jun 27, 2026, 09:04 AM
AI review found no confirmed malicious intent and no prompt injection attempt. Most static findings are false positives from markdown examples, placeholders, and validation text, but the skill legitimately captures websites, stores screenshots and assets, uses external APIs, and handles API keys, so it should publish with clear data handling warnings.
13
已扫描文件
4,217
分析行数
12
发现项
codex
审计者
中风险问题 (3)
Arbitrary Website Capture And Local Artifact Storage
TRUE POSITIVE with legitimate purpose. The workflow asks the agent to capture a user supplied URL and store screenshots, assets, extracted text, and metadata locally. This can collect sensitive website content if the user captures private or authenticated pages.
Third-Party AI Processing Of Captured Screenshots
TRUE POSITIVE with legitimate purpose. The workflow recommends Gemini image descriptions and snapshot descriptions, which can send captured page images or frames to a third-party AI service. Users should avoid private pages unless they approve that processing.
references/step-4-vo.md:61-66references/step-4-vo.md:79-86references/step-4-vo.md:94-106references/step-6-validate.md:130-146
API Key Handling Guidance Needs Care
TRUE POSITIVE with legitimate purpose. The workflow discusses Gemini, ElevenLabs, HeyGen, and OAuth tokens, and it tells agents to use keys from environment variables or pasted user input. This is not exfiltration, but it increases secret handling risk.
低风险问题 (4)
Markdown Command Examples Caused Many False Positives
FALSE POSITIVE for most external command hits. The flagged text is mostly markdown instructions and example commands such as HyperFrames capture, preview, lint, and validation. These are expected for a video rendering workflow, although users should run them only in trusted projects.
Verification Script Static Exec Alerts Are False Positives
FALSE POSITIVE. The verification script states it performs pure file analysis and contains no shell spawns in the reviewed sections. The scanner appears to have matched process control text and JavaScript tokens rather than executable command injection.
Bundled Sound Effect Metadata Is Benign
FALSE POSITIVE. Weak crypto and command alerts in the bundled SFX files are metadata and markdown references to MP3 names, descriptions, and license credits. No cryptographic or executable behavior was found there.
references/step-0-capture.md:16-23references/step-6-validate.md:142-146references/step-6-validate.md:277-292
Path Placeholder Alerts Are Mostly Benign
FALSE POSITIVE with minor caution. Many path traversal and filesystem alerts come from documented placeholders such as project directories, capture folders, and snapshot output paths. They describe normal local project files, not an instruction to read protected system paths.
风险因素
⚙️ 外部命令 (4)
🌐 网络访问 (4)
📁 文件系统访问 (4)
检测到的模式
Sensitive Data May Enter Capture OutputsSecrets Are Used By External Service Examples