Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
cutmv
v1.0.0Video processing tool using FFmpeg for cutting, format conversion, compression, frame/audio extraction, watermarking, and subtitle addition.
⭐ 0· 366·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, README, SKILL.md, and code all describe an FFmpeg-based video tool, which is coherent. However the registry metadata claims no required binaries/configs while SKILL.md and skill.py clearly require FFmpeg and ffprobe on PATH — the declared requirements are incomplete. The source/homepage is 'unknown' even though README references a GitHub repo URL, so provenance is unclear.
Instruction Scope
SKILL.md stays within the expected scope (running ffmpeg/ffprobe via skill.py). It does not instruct reading unrelated system files or using external endpoints. The runtime uses subprocess with argument lists (no shell=True), which is safer. However skill.py uses eval(...) when parsing ffprobe's r_frame_rate which is an unsafe pattern if ffprobe output can be tampered with or if untrusted metadata is processed.
Install Mechanism
No install spec (instruction-only plus a Python file) — lowest install risk. The skill relies on a system FFmpeg/ffprobe installation as documented in SKILL.md rather than pulling arbitrary code from the network during install.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. But it fails to declare the required system binaries (ffmpeg/ffprobe) in the registry metadata — an omission that underreports the actual external dependency. There are no requests for unrelated secrets or config paths.
Persistence & Privilege
The skill does not request persistent privileges (always:false) and does not modify other skills or system settings. Autonomous invocation is allowed (default) but that's normal for skills and not combined with other high-risk factors here.
What to consider before installing
This skill appears to do what it claims (video ops via FFmpeg), but check these before installing:
- Verify FFmpeg/ffprobe are required: SKILL.md and code require ffmpeg on PATH even though the registry metadata omits it. Ensure you have FFmpeg installed from a trusted source.
- Review the code locally (skill.py) before running. There is use of eval() when parsing ffprobe output — that is a potential code-injection risk if input metadata is malicious. If you will process untrusted files, either sandbox execution or patch the code to avoid eval (e.g., parse the fraction safely).
- Confirm provenance: source/homepage is unknown. Prefer skills with a verifiable repository or maintainer identity. The README references a GitHub repo and authors; validate those links and signatures if possible.
- Run the tests and the CLI in a safe environment (sandbox or VM) to observe behavior: python skill.py test and sample operations on harmless media files.
- If you need tighter security, request the author to (1) update registry metadata to list ffmpeg/ffprobe as required binaries, (2) remove eval and handle ffprobe output safely, and (3) provide a canonical source/repo for review.
Given these issues, proceed with caution. The problems look like sloppy metadata and one unsafe code pattern rather than clear malicious intent, hence 'suspicious' with medium confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk972yrhf5c03vzq6draxh76gyd81w708
License
MIT-0
Free to use, modify, and redistribute. No attribution required.