ffmpeg-video-editor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill appears safe to use as a command generator, but treat its output like any shell command: check the input and output filenames, avoid overwriting important files, and make sure FFmpeg is installed from a trusted source before running anything. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
55/55 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated command could overwrite an existing output video or audio file without FFmpeg asking again.
The FFmpeg `-y` flag suppresses overwrite prompts. This is relevant because generated commands may replace an existing output file if the user reuses a filename.
Always include `-y` (overwrite) and `-hide_banner` for cleaner output
Before running a generated command, verify the output path. Remove `-y` or ask the agent to avoid overwriting unless you are sure.
The skill may generate commands that fail unless FFmpeg is already installed.
The registry metadata does not declare FFmpeg as a required binary, even though SKILL.md is built around producing `ffmpeg` commands. This appears to be an incomplete requirement declaration, not hidden code.
Required binaries (all must exist): none
Install FFmpeg from a trusted source and review generated commands before running them.