Dalong Video Frames
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: dalong-video-frames Version: 1.0.0 The skill provides a functional wrapper for ffmpeg to extract video frames, but the script 'scripts/frame.sh' lacks input sanitization for parameters like '--index', '--time', and '--out'. These variables are passed directly into shell commands and ffmpeg filter strings, creating a potential risk for command or filter injection if provided with crafted input. While the behavior aligns with the stated purpose, the lack of validation qualifies as a vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user chooses an important existing file as --out, that file could be overwritten.
The script creates the parent directory for the requested output path and runs ffmpeg with -y, which overwrites an existing output file without prompting. This is purpose-aligned but worth noticing.
mkdir -p "$(dirname "$out")" ... ffmpeg -hide_banner -loglevel error -y ... "$out"
Use explicit temporary or project-specific output paths and avoid pointing --out at important existing files.