cutmv

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its video-processing purpose, but it contains an unsafe Python eval call while reading video metadata.

Review this skill before installing. It appears intended for local video processing, but avoid untrusted video files until the eval() call is replaced with safe parsing, and be careful with output paths because FFmpeg overwrite mode can replace existing files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI05: Unexpected Code Execution

What this means

Inspecting a malicious or malformed media file could potentially run unexpected Python code in the agent environment.

Why it was flagged

This executes Python code derived from FFprobe output for the selected media file. Frame-rate parsing does not require eval(), and crafted or unexpected probe output could turn metadata inspection into code execution.

Skill content

"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,

Recommendation

Do not use this skill on untrusted media until eval() is removed. Replace it with safe parsing such as fractions.Fraction after validating the value only contains digits and a slash.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If the agent chooses an existing output path, the existing file may be replaced.

Why it was flagged

The skill invokes FFmpeg through subprocess and enables overwrite mode. This is central to the stated video-processing purpose and uses argument lists rather than shell strings, but it can overwrite files at user-selected output paths.

Skill content

cmd = ["ffmpeg", "-y"] + args

Recommendation

Use explicit output paths, keep backups of important files, and consider changing the implementation to ask before overwriting.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill will run whichever FFmpeg/ffprobe binary is available in the environment, so an untrusted or broken local binary could affect behavior.

Why it was flagged

The skill depends on a system FFmpeg/ffprobe installation found through PATH. That dependency is expected for this tool, but the registry metadata does not enforce or pin it.

Skill content

- FFmpeg installed and available in PATH

Recommendation

Install FFmpeg from a trusted source and verify the binary on PATH before using the skill.