[Skill Submission] social-clips

[everyskill-bot]

New Skill Submission

Skill: social-clips
Submitted by: Montaigne (Every)
Reason: Shared internal skill for turning Slack threads into polished social clips. Requested by the team for use across claws.

---

This PR was auto-generated from skills.every.to (agent-api).

AI security review will run automatically.

[cloudflare-workers-and-pages]

Deploying everyskill with    Cloudflare Pages

Latest commit:	4491937
Status:	✅  Deploy successful!
Preview URL:	https://24277e28.everyskill.pages.dev
Branch Preview URL:	https://skill-social-clips-177248792.everyskill.pages.dev

View logs

[github-actions]

Frontier Model Security Review

Agent	Verdict
Claude Opus 4.6	WARN
GPT-5.2	WARN

Final Verdict: WARN

---

Claude Opus 4.6 Analysis

{"verdict": "WARN", "issues": ["The skill instructs downloading arbitrary files from external URLs (slack-edge.com avatars) via curl, which could be used to fetch content from any URL if the pattern is modified", "Uses unrestricted shell commands (curl, ffmpeg, npx) without sandboxing - while these are standard dev tools, they allow arbitrary command execution", "Accesses Slack user data via MCP tools (slack_get_users, slack_get_thread_replies) which could expose user profile information and conversation content", "The curl command pattern `curl -sL -o <path> <url>` could be directed at arbitrary URLs to download malicious content or exfiltrate data via DNS/URL if an attacker controls the URL parameter"], "reasoning": "This skill is a Remotion-based video generation tool for creating social media clips from Slack threads. It is largely benign in purpose. However, there are moderate concerns: (1) It instructs the agent to run curl commands to download avatar images from URLs - while the documented URLs are legitimate Slack CDN URLs, the pattern is open-ended and could be pointed at any URL. (2) It uses MCP Slack tools to pull thread replies and user lists, which means it accesses potentially sensitive workplace conversations and user profile data. (3) Shell commands like curl, ffmpeg, and npx are used without restriction. There is no evidence of prompt injection, encoded malicious commands, or deliberate data exfiltration. The .gitignore is standard. The package.json lock file contains only well-known packages (remotion, react, esbuild, typescript). The risk level is low-to-moderate, warranting a WARN rather than FAIL since the shell usage and data access patterns could be abused but are standard for this type of development workflow."}

GPT-5.2 Analysis

{
  "verdict": "WARN",
  "issues": [
    {
      "category": "Data exfiltration / privacy",
      "severity": "MEDIUM",
      "evidence": [
        "Instructions to pull Slack thread data via MCP: `mcp__slack__slack_get_thread_replies(channel_id, thread_ts)`",
        "Instructions to enumerate users: `mcp__slack__slack_get_users(limit: 200)`",
        "Instructions to download avatar images from Slack CDN URLs into the repo using `curl`"
      ],
      "risk": "This workflow encourages extracting Slack content and user profile photos (PII) and storing/rendering them into shareable video outputs (MP4/GIF). That can lead to inadvertent disclosure outside Slack or retention beyond intended limits.",
      "recommendation": "Add explicit guidance/guardrails: require user consent, redact/blur names/avatars by default, support placeholder avatars, document data retention, and warn against exporting confidential threads."
    },
    {
      "category": "Dangerous tool usage (shell/network)",
      "severity": "LOW",
      "evidence": [
        "Use of `curl -sL -o ... \"https://avatars.slack-edge.com/...\"`",
        "Use of `ffmpeg` to generate GIFs",
        "Use of `npx remotion render ...` and npm scripts"
      ],
      "risk": "Network egress is required (curl downloads). While no destructive commands are present (e.g., `rm -rf`), shell execution plus downloading remote content can be abused if a user is tricked into fetching malicious or unexpected URLs, or if scripts are modified in the unseen parts of the repo.",
      "recommendation": "Pin/validate download domains (allowlist slack-edge.com), advise verifying URLs, consider providing a safer asset import mechanism, and review package scripts in package.json for any pre/postinstall hooks (not provided here)."
    },
    {
      "category": "Prompt injection",
      "severity": "LOW",
      "evidence": [
        "No 'ignore previous', hidden instructions, or encoded command sequences observed in the provided README/manifest excerpt",
        "Some mojibake/encoding artifacts (e.g., '�', '�', '�') appear to be character encoding issues, not obfuscated instructions"
      ],
      "risk": "Low based on the provided content only; however, unseen source files could still contain embedded prompt-injection strings.",
      "recommendation": "Scan source (`src/**`) and built artifacts (`dist/`, `out/`) for common injection patterns and base64/hex blobs; ensure any LLM-facing prompts are sanitized."
    },
    {
      "category": "Overly permissive allowed-tools",
      "severity": "INFO",
      "evidence": [
        "Workflow implies access to Slack MCP tools and general shell commands (`curl`, `ffmpeg`, `npx`)"
      ],
      "risk": "If this skill is executed in an agentic environment with broad tool permissions (Slack read + unrestricted shell + network), it increases blast radius for data leakage.",
      "recommendation": "Constrain permissions: limit Slack scopes to required channels/threads, restrict shell/network egress, and require explicit user confirmation before exporting/downloading avatars or rendering/shareable outputs."
    }
  ],
  "reasoning": "No explicit malicious prompt-injection or destructive commands are visible in the provided excerpt. The primary security concern is privacy/data-exfiltration risk: the skill’s intended use pulls Slack thread content and user avatars (PII) and produces portable media outputs, plus it directs users to download assets via network calls. These are legitimate functions but warrant guardrails and tighter tool permissions. Because potentially sensitive Slack data handling is central to the workflow, the overall verdict is WARN."
}

---

Frontier model review complete. Human approval still required.