cutmv

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly behaves like a local FFmpeg video tool, but it uses Python eval on video metadata, creating an unnecessary code-execution risk.

Before installing, verify that FFmpeg comes from a trusted source and avoid using the video-info function on untrusted media until the eval call is replaced with safe parsing. Also review output paths carefully because the skill uses FFmpeg overwrite mode.

Static analysis

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

Processing or inspecting an untrusted media file could potentially run code under the user's account if the evaluated metadata can be manipulated.

Why it was flagged

The skill dynamically evaluates a value taken from ffprobe JSON output. This is unnecessary for calculating a frame rate and could execute Python code if that value is ever influenced by a crafted file or compromised tool output.

Skill content

"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,

Recommendation

Replace eval with safe parsing, such as fractions.Fraction or validated numerator/denominator parsing, and reject non-numeric frame-rate values.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If the agent or user chooses an important output path, an existing file may be overwritten by FFmpeg output.

Why it was flagged

The skill invokes FFmpeg as a local subprocess and forces overwrite mode. This is expected for a video-processing tool, but it means selected output paths can be replaced.

Skill content

cmd = ["ffmpeg", "-y"] + args

Recommendation

Use explicit, non-sensitive output paths and consider adding confirmation or removing forced overwrite behavior for existing files.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may fail or use whichever ffmpeg/ffprobe binary is first in PATH, so the user must ensure the installed binary is trustworthy.

Why it was flagged

The registry metadata does not declare the FFmpeg dependency, even though SKILL.md states FFmpeg must be installed and available in PATH. This is disclosed in documentation but not enforced by the install metadata.

Skill content

Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.

Recommendation

Install FFmpeg from a trusted package source and consider declaring FFmpeg/ffprobe as required binaries in the skill metadata.