ClawHub

Ffmpeg Master Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a local FFmpeg video-processing helper; its shell and file access fit that purpose, but users should watch output paths and overwrites.

Install only if you are comfortable letting the agent run local FFmpeg commands on media files you specify. Before each run, confirm the exact input files, output path, and whether overwriting is allowed; avoid processing untrusted media or subtitles without sandboxing, and do not use untrusted custom preset names or raw batch commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
        try:
            # 执行命令
            process = subprocess.Popen(
                shlex.split(command),
                shell=False,
                stdout=subprocess.PIPE,
Confidence
90% confidence
Finding
process = subprocess.Popen( shlex.split(command), shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 执行 FFmpeg 命令
            result = subprocess.run(
                shlex.split(task.command), shell=False, capture_output=True, text=True, check=True
            )
Confidence
91% confidence
Finding
result = subprocess.run( shlex.split(task.command), shell=False, capture_output=True, text=True, check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]

        try:
            subprocess.run(cmd, capture_output=True, text=True, check=True)
            return output_path
        except subprocess.CalledProcessError as e:
            raise Exception(f"烧录字幕失败: {e.stderr}")
Confidence
92% confidence
Finding
subprocess.run(cmd, capture_output=True, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]

        try:
            result = subprocess.run(cmd, capture_output=True, text=True, check=True)

            # 从输出中提取 VMAF 评分
            for line in result.stderr.split("\n"):
Confidence
79% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs use of shell commands (`ffmpeg`, `ffprobe`, `exec background:true`) and read/write access to user-supplied file paths, yet no explicit permissions are declared. This creates a capability mismatch where an agent may execute powerful file and shell operations without transparent user/admin review, increasing the risk of unsafe command construction, unintended file modification, or operation on sensitive paths.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The preset manager persists user-supplied preset data under the user's home directory, creating durable state outside the immediate video-processing task. While custom presets are feature-related, writing arbitrary named files to a persistent config location expands the skill's capability surface and can be abused for unintended persistence or filesystem manipulation if names/content are not tightly validated.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
`validate_params()` claims to validate encoding parameters generally, but it unconditionally compares `params.crf` against numeric bounds even though `crf` is explicitly optional and is set to `None` in target-size mode. Passing such a valid `EncodingParams` instance will raise a `TypeError`, allowing a malformed or merely size-target-generated request to crash validation logic and potentially interrupt video-processing workflows.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description activates on an extremely broad set of video-related requests, making accidental or overly eager invocation likely. In a skill that can read/write files and run shell commands, broad triggering increases the chance the agent applies this skill in contexts where the user did not clearly intend local media processing, potentially leading to unsafe file access or command execution paths.

Vague Triggers

Low
Confidence
74% confidence
Finding
Automatically selecting a preset merely because a platform name is mentioned is ambiguous and can cause unintended processing choices. While lower severity than direct code execution issues, this can still lead to the wrong encoding profile, quality loss, metadata handling mistakes, or unexpected output characteristics without clear user consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions use broad natural-language phrases such as compression, transcoding, format conversion, or reducing file size without stronger contextual constraints. This can cause the skill to activate on casual discussion rather than an explicit request to process files, increasing the risk of unintended tool invocation and unsafe file operations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The GIF workflow trigger words are very generic conversational terms like GIF or moving image and lack contextual checks for an actual transformation request. In an agent environment, this can lead to accidental invocation from ordinary chat, which is risky because it may trigger file access or media processing unexpectedly.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The merge workflow includes generic verbs like merge, join, or concatenate, which are common in non-media contexts. Because merging files is a state-changing operation, broad triggers increase the chance of misrouting unrelated requests into a file-processing workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The encoder writes to a derived output path and invokes ffmpeg with '-y', which forcibly overwrites any existing file at that path without confirmation. In a skill context where input paths may come from user-controlled or automation-controlled sources, this can destroy existing data or clobber unintended files, making the behavior materially riskier than a normal local utility script.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal