FFmpeg CLI

The `merge.sh` script is vulnerable to command injection. It constructs a temporary file (`TEMP_LIST`) from user-supplied arguments without sanitization and then uses `ffmpeg -f concat -safe 0 -i "$TEMP_LIST"`. The `-safe 0` option disables security checks for the concat demuxer, allowing `ffmpeg` to interpret `file 'pipe:...'` entries in the list as commands. A malicious actor providing crafted input (e.g., `file 'pipe:cat /etc/passwd'`) to the `merge.sh` script could achieve arbitrary command execution or data exfiltration, making this a significant risky capability.