cutmv
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: cutmv Version: 1.0.0 The `skill.py` file contains a critical Remote Code Execution (RCE) vulnerability. The `get_video_info` function uses `eval()` on the `r_frame_rate` value extracted from video metadata via `ffprobe`. An attacker could craft a malicious video file whose metadata contains arbitrary Python code, leading to its execution. Additionally, the `add_subtitle` and `add_text_watermark` functions are vulnerable to command injection, as user-controlled `subtitle_file`, `style`, and `text` arguments are embedded into FFmpeg filter strings without robust sanitization, potentially allowing arbitrary FFmpeg commands or filter-based exploits.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Inspecting a malicious or malformed media file could potentially run unexpected Python code in the agent environment.
This executes Python code derived from FFprobe output for the selected media file. Frame-rate parsing does not require eval(), and crafted or unexpected probe output could turn metadata inspection into code execution.
"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,Do not use this skill on untrusted media until eval() is removed. Replace it with safe parsing such as fractions.Fraction after validating the value only contains digits and a slash.
If the agent chooses an existing output path, the existing file may be replaced.
The skill invokes FFmpeg through subprocess and enables overwrite mode. This is central to the stated video-processing purpose and uses argument lists rather than shell strings, but it can overwrite files at user-selected output paths.
cmd = ["ffmpeg", "-y"] + args
Use explicit output paths, keep backups of important files, and consider changing the implementation to ask before overwriting.
The skill will run whichever FFmpeg/ffprobe binary is available in the environment, so an untrusted or broken local binary could affect behavior.
The skill depends on a system FFmpeg/ffprobe installation found through PATH. That dependency is expected for this tool, but the registry metadata does not enforce or pin it.
- FFmpeg installed and available in PATH
Install FFmpeg from a trusted source and verify the binary on PATH before using the skill.