Wjs Burning Subtitles
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote download or delivery path is compromised, the user could run attacker-controlled code under their local account.
The script automatically downloads an executable ffmpeg ZIP from a remote URL, extracts it, and marks the binary executable without pinning a version, checksum, or signature.
EVERMEET_URL = "https://evermeet.cx/ffmpeg/getrelease/zip" ... urllib.request.urlretrieve(EVERMEET_URL, z) ... zf.extractall(STATIC_FF.parent) ... os.chmod(str(STATIC_FF), 0o755)
Prefer requiring the user to install ffmpeg from a trusted package manager, or pin the download to a specific verified release with checksum/signature validation and clear user approval before first use.
A stale or malicious executable placed at the cached /tmp path could be run automatically when the skill renders a video.
The script will execute /tmp/ff_bin/ffmpeg if it already exists, and otherwise may execute the downloaded fallback binary, without validating the existing file.
if STATIC_FF.exists():
return str(STATIC_FF) ... cmd = [ff, "-hide_banner", "-y", *inputs] ... r = subprocess.run(cmd)Validate the cached binary before use, store it in a less risky managed location, and ask the user before downloading or executing a fallback binary.
A mistaken output path could overwrite an existing media file.
The skill runs local ffmpeg commands and uses -y, which overwrites the output path without an ffmpeg prompt; this is expected for video rendering but users should choose output paths carefully.
cmd = [ff, "-hide_banner", "-y", *inputs] ... cmd += ["-c:a","aac","-b:a", f"{a.audio_bitrate}k", a.out]Use a new output filename or confirm before overwriting important files.