Back to skill

Security audit

FFmpeg CLI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward FFmpeg helper skill for local media processing, with normal file-write risks users should handle carefully.

Install if you are comfortable letting the agent run local FFmpeg commands on files you choose. Use fresh output filenames because the scripts overwrite existing destinations, and avoid feeding merge.sh filenames or file lists from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script invokes ffmpeg with the -y flag, which forces overwriting the destination file without any prompt or safety check. If the caller supplies an existing path by mistake, important files can be silently destroyed, which is especially risky in automation or agent-driven workflows where output paths may be generated dynamically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script passes `-y` to `ffmpeg`, which forces overwriting the output path without prompting. If a user supplies an existing file path by mistake, important data can be destroyed immediately; in an automation context this increases the chance of accidental data loss. The surrounding skill context does not add evidence of malicious behavior, but it does make the issue practically relevant because this is a file-manipulation helper script likely to be run on user media files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.