Openclaw Skill Cutmv Video Tool

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly matches its video-processing purpose, but it uses unsafe Python eval on FFprobe-derived media data.

Install only if you are comfortable reviewing or patching the Python code. In particular, replace the eval-based FPS parsing before using the skill on untrusted video files, install FFmpeg from a trusted source, and choose output paths carefully because FFmpeg is run with overwrite enabled.

Static analysis

Dynamic code execution

Critical

Finding: Dynamic code execution detected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

Processing media and requesting video info could execute unintended Python code instead of only reading metadata.

Why it was flagged

The code uses Python eval on a value taken from FFprobe JSON output for a media file. Dynamic evaluation is not necessary for video metadata parsing and could become code execution if the evaluated string is influenced or unexpected.

Skill content

"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,

Recommendation

Replace eval with safe parsing, such as fractions.Fraction or explicit numerator/denominator validation, before installing or using the skill on untrusted media.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If the agent or user chooses the wrong output path, an existing local file may be overwritten.

Why it was flagged

The skill invokes FFmpeg as a local subprocess and passes output paths to it, with -y enabling overwrite behavior. This is expected for a video processing tool, but it can modify or overwrite local files.

Skill content

cmd = ["ffmpeg", "-y"] + args

Recommendation

Use explicit output paths, avoid protected or important directories, and confirm overwrites for valuable files.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill will rely on whichever ffmpeg/ffprobe executables are installed on the system PATH.

Why it was flagged

The skill depends on an external PATH executable installed outside the skill package. This is normal for FFmpeg-based tooling, but the registry metadata does not declare required binaries.

Skill content

FFmpeg installed and available in PATH ... macOS: `brew install ffmpeg` ... Ubuntu: `sudo apt install ffmpeg` ... Windows: ... `winget install ffmpeg`

Recommendation

Install FFmpeg from a trusted source and verify the PATH points to the expected binaries; the publisher should declare FFmpeg as a required binary.