critical
suspicious.dynamic_code_execution
- Location
- skill.py:319
- Finding
- Dynamic code execution detected.
cutmv
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Inspecting a malicious or malformed media file could potentially run unexpected Python code in the agent environment.
Why it was flagged
This executes Python code derived from FFprobe output for the selected media file. Frame-rate parsing does not require eval(), and crafted or unexpected probe output could turn metadata inspection into code execution.
Skill content
"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,Recommendation
Do not use this skill on untrusted media until eval() is removed. Replace it with safe parsing such as fractions.Fraction after validating the value only contains digits and a slash.
What this means
If the agent chooses an existing output path, the existing file may be replaced.
Why it was flagged
The skill invokes FFmpeg through subprocess and enables overwrite mode. This is central to the stated video-processing purpose and uses argument lists rather than shell strings, but it can overwrite files at user-selected output paths.
Skill content
cmd = ["ffmpeg", "-y"] + args
Recommendation
Use explicit output paths, keep backups of important files, and consider changing the implementation to ask before overwriting.
What this means
The skill will run whichever FFmpeg/ffprobe binary is available in the environment, so an untrusted or broken local binary could affect behavior.
Why it was flagged
The skill depends on a system FFmpeg/ffprobe installation found through PATH. That dependency is expected for this tool, but the registry metadata does not enforce or pin it.
Skill content
- FFmpeg installed and available in PATH
Recommendation
Install FFmpeg from a trusted source and verify the binary on PATH before using the skill.