Skill Trust Decision
product-demo-video
Skill contains a catastrophic `rm -rf /` command in install-deps.sh:23 with no declared shell permissions, plus undeclared shell execution and dynamically generated Python code in record-demo.mjs.
Most direct threat evidence
Critical RCE
Destructive `rm -rf` glob command in install script Line 23 of install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static`. The glob pattern `ffmpeg-*-amd64-static` could expand to /tmp/ itself or a broader path if the tarball extracts unexpectedly (e.g., flat files or to a parent directory). In a root container or misconfigured environment, this could wipe data beyond /tmp/. The intended use of a bare `rm -rf` with glob patterns near system directories is a severe operational hazard.
scripts/install-deps.sh:23 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
5 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 3 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Skill invoked with Bash:WRITE capability, allowing shell command execution
Escalation · SKILL.md
02
install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` — glob expansion could resolve to /tmp/ or broader paths if archive structure is unexpected
Escalation · scripts/install-deps.sh:23
03
If run as root (e.g., in a Docker container), `rm -rf /tmp/` or broader path wipe could cause data loss across the system
Impact · scripts/install-deps.sh:23
What drove the risk score up
Destructive shell command +35
install-deps.sh:23 contains `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` — glob `*` could expand to /tmp/ or beyond if the tarball doesn't extract as expected, potentially wiping /tmp/ or more
Undeclared shell execution +20
SKILL.md declares no permissions but record-demo.mjs uses execSync to run edge-tts, ffmpeg, ffprobe, and python3 as undeclared shell commands
Dynamic code generation and execution +10
record-demo.mjs generates a Python script as a string (lines 215-290) and executes it via execSync, a form of dynamic code generation not declared in SKILL.md
No declared capability permissions +5
SKILL.md frontmatter declares no allowed-tools or resources, yet the skill requires shell:WRITE, filesystem:WRITE, and network:READ
Most important evidence
Critical RCE
Destructive `rm -rf` glob command in install script
Line 23 of install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static`. The glob pattern `ffmpeg-*-amd64-static` could expand to /tmp/ itself or a broader path if the tarball extracts unexpectedly (e.g., flat files or to a parent directory). In a root container or misconfigured environment, this could wipe data beyond /tmp/. The intended use of a bare `rm -rf` with glob patterns near system directories is a severe operational hazard.
scripts/install-deps.sh:23 Replace with explicit directory removal: use `rm -rf "${tmpdir}"` after saving the extracted directory path to a variable, or use a trap/cleanup function. Never use bare globs with rm -rf near /tmp.
High Doc Mismatch
Undeclared shell execution capability
SKILL.md declares zero permissions in its frontmatter, yet record-demo.mjs uses execSync to run 5+ shell commands (edge-tts, ffmpeg x3, ffprobe, python3). This is a direct doc-to-code mismatch. The skill does not declare shell:WRITE, filesystem:WRITE, or network:READ in allowed-tools.
scripts/record-demo.mjs:141 Declare all shell commands in SKILL.md frontmatter using allowed-tools mapping: Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE. Document why each tool is needed.
High RCE
Dynamically generated Python script executed at runtime
record-demo.mjs builds a Python script as a string (generateOverlayScript, ~75 lines) containing scene configuration data and PIL image processing code, writes it to /tmp, and executes it via execSync. This dynamic code generation from configuration data is undeclared functionality.
scripts/record-demo.mjs:148 Either pre-write the overlay script and call it with scene data as arguments, or rewrite the overlay logic in Node.js using the canvas package. Document this behavior in SKILL.md.
Medium Supply Chain
Unpinned pip dependencies
install-deps.sh installs edge-tts and Pillow without version constraints. Pip defaults to the latest version, which could introduce breaking changes or malicious updates.
scripts/install-deps.sh:8 Pin versions: pip3 install edge-tts==6.1.0 (or current stable) Pillow==10.x.x. Add a requirements.txt for reproducibility.
Medium Supply Chain
Remote script download over plain HTTP
install-deps.sh downloads FFmpeg via curl from johnvansickle.com over HTTPS. The site may serve over plain HTTP, and the downloaded binary is copied directly to /usr/local/bin without integrity verification (no sha256 checksum).
scripts/install-deps.sh:19 Verify the downloaded binary with a published SHA256 hash before extraction. Consider using package managers (apt, dnf) for FFmpeg installation instead.
Low Priv Escalation
FFmpeg and ffprobe installed to /usr/local/bin
The install script copies extracted binaries to /usr/local/bin, which requires write access to system directories. If run as a non-root user, it will fail; if run as root, it modifies system state.
scripts/install-deps.sh:21 Install to user-local bin (~/bin) or use the system's package manager. Document the privilege requirements.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
record-demo.mjs:141 execSync(`edge-tts ...`) Shell Block
Declared NONE
→ Inferred WRITE
scripts/install-deps.sh:23 rm -rf glob command Filesystem Block
Declared NONE
→ Inferred WRITE
record-demo.mjs:148 fs.writeFileSync(`${workDir}/overlay.py`, pyScript) Network Block
Declared NONE
→ Inferred READ
install-deps.sh:19 curl downloads FFmpeg from johnvansickle.com Network Block
Declared NONE
→ Inferred READ
record-demo.mjs:89 page.goto(s.url) — navigates to arbitrary URLs Suspicious artifacts and egress
Critical Dangerous Command
rm -rf / scripts/install-deps.sh:23
Medium External URL
https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz scripts/install-deps.sh:19
Medium External URL
https://yourapp.dev/ scripts/record-demo.mjs:56
Medium External URL
https://yourapp.dev/feature1/ scripts/record-demo.mjs:67
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| puppeteer | not pinned | npm i -g puppeteer | No | Installed globally without version constraint |
| edge-tts | not pinned | pip3 install edge-tts | No | No version constraint in install command |
| Pillow | not pinned | pip3 install Pillow | No | No version constraint in install command |
File composition
5 files · 601 lines
JavaScript 1 files · 303 linesMarkdown 2 files · 242 linesShell 1 files · 50 linesJSON 1 files · 6 lines
Files of concern · 2
scripts/record-demo.mjs Undeclared shell execution capability · Dynamically generated Python script executed at runtime · https://yourapp.dev/ · https://yourapp.dev/feature1/
scripts/install-deps.sh Destructive `rm -rf` glob command in install script · Unpinned pip dependencies · Remote script download over plain HTTP · FFmpeg and ffprobe installed to /usr/local/bin · rm -rf / · https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz
Other files · SKILL.md · demo-planning.md · _meta.json
Security positives
No credential theft: skill does not access ~/.ssh, ~/.aws, .env, or iterate environment variables for secrets
No data exfiltration: no HTTP POSTs of user data to external servers
No obfuscation: all code is readable plain text, no base64-encoded payloads or eval(atob(...)) patterns
No persistence mechanisms: no cron jobs, startup scripts, or backdoor installations
Legitimate purpose: the core functionality (video demo creation) matches documented behavior