cutmv Video Tool
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The tool mostly matches its video-processing purpose, but it uses Python eval on video metadata, which is an unnecessary code-execution risk when handling media files.
Only use this skill with media files and output paths you trust. Before installing, ask the maintainer to remove the eval call and safely parse FPS values; also verify the full skill.py and use a trusted FFmpeg installation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Processing a crafted media file through the video-info path could potentially run unintended Python code or at least crash the skill.
The skill evaluates a string taken from ffprobe JSON for a user-supplied media file. Dynamic evaluation is unnecessary for FPS parsing and could become code execution if hostile or malformed metadata reaches this field.
"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,Replace eval with safe parsing, such as fractions.Fraction or explicit integer numerator/denominator validation, before publishing or installing.
If the agent or user chooses an existing or sensitive output path, the file may be overwritten.
The skill runs FFmpeg locally and globally enables overwrite mode. This is expected for a video-processing tool, but it can replace existing output files without prompting.
cmd = ["ffmpeg", "-y"] + args
Use explicit safe output paths, keep backups of originals, and consider changing the implementation to avoid '-y' unless overwrite is confirmed.
The skill may fail or rely on whatever FFmpeg binary is first in PATH.
The skill depends on FFmpeg/ffprobe even though the registry requirement section declares no required binaries. This is an install-transparency issue rather than evidence of malicious behavior.
- FFmpeg installed and available in PATH
Declare ffmpeg/ffprobe as required binaries and install FFmpeg from a trusted source.