Openclaw Skill Cutmv Video Tool
WarnAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent local FFmpeg video tool, but one code path uses Python eval on video probe output, which is an unnecessary code-execution risk.
Only install or enable this skill after the eval-based FPS parsing is fixed. If you use it, process trusted media files, install FFmpeg from a trusted source, and give the agent explicit input/output paths to avoid accidental overwrites.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Processing or inspecting an untrusted video file could create a local code-execution risk in the agent's Python environment.
The code dynamically evaluates a string obtained from ffprobe output to calculate FPS. If that value is ever influenced by a crafted file or unexpected probe output, eval can execute Python expressions instead of just parsing a number.
"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,Replace eval with safe parsing, such as fractions.Fraction(value) or explicit numerator/denominator parsing, and treat media metadata as untrusted input.
If the agent or user chooses the wrong output path, existing files could be replaced.
All processing operations invoke the local FFmpeg binary and include -y overwrite behavior. This is purpose-aligned for a video tool, but it can overwrite output files without an interactive FFmpeg confirmation.
cmd = ["ffmpeg", "-y"] + args
Use explicit, non-sensitive output paths; consider adding preflight checks before overwriting existing files.
The skill will use whichever ffmpeg/ffprobe binaries are first in PATH, so a broken or untrusted local installation could affect behavior.
The skill depends on system FFmpeg/FFprobe even though the registry metadata lists no required binaries and no install spec. This is not malicious, but it means the platform may not preflight the dependency.
- FFmpeg installed and available in PATH
Install FFmpeg from a trusted package source and declare ffmpeg/ffprobe as required binaries in the skill metadata.