cutmv Video Tool

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The video tool mostly matches its stated purpose, but it uses Python eval on media metadata, which is unsafe when processing untrusted video files.

Do not process untrusted media with this skill until the eval() call is removed. If you install it, use a trusted FFmpeg build and carefully confirm output paths because FFmpeg operations may overwrite files.

Static analysis

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

A malicious or malformed media file, compromised ffprobe output, or unexpected metadata value could cause code execution or crashes in the agent's local environment.

Why it was flagged

get_video_info parses ffprobe JSON for a user-selected media file, then evaluates the r_frame_rate string as Python code. Even if ffprobe normally emits numeric ratios, eval is an unnecessary dynamic execution sink for file-derived data.

Skill content

"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,

Recommendation

Replace eval() with safe parsing, such as fractions.Fraction after validating the value matches a numeric ratio pattern, and reject malformed values.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If the agent or user chooses the wrong output filename, an existing local file could be replaced.

Why it was flagged

The skill invokes FFmpeg for local file transformations and forces overwrite with -y. This is purpose-aligned, but it means an incorrect output path can overwrite an existing file.

Skill content

cmd = ["ffmpeg", "-y"] + args

Recommendation

Review input/output paths before running operations, avoid protected or important paths, and consider adding an overwrite confirmation or existence check.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may fail if FFmpeg/ffprobe is missing, and the security of processing depends partly on the FFmpeg build installed on the user's system.

Why it was flagged

The skill depends on a system FFmpeg installation, but the registry metadata for this review lists no required binaries and no install spec. Users must supply and trust that external dependency themselves.

Skill content

- FFmpeg installed and available in PATH

Recommendation

Install FFmpeg from a trusted package manager or official source, keep it updated, and declare ffmpeg/ffprobe as required binaries in the skill metadata.