Back to skill

Security audit

cutmv Video Tool

Security checks across malware telemetry and agentic risk

Overview

This video-processing skill appears purpose-aligned, but it contains unsafe implementation choices that could execute code from crafted media or overwrite files unexpectedly.

Review before installing. Avoid using this skill on videos or subtitle/style inputs from untrusted sources until eval() is removed, FFmpeg filter values are escaped, and overwriting existing files requires explicit user confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

eval() call detected

High
Category
Dangerous Code Execution
Content
"codec": video_stream.get("codec_name") if video_stream else None,
                "width": video_stream.get("width") if video_stream else None,
                "height": video_stream.get("height") if video_stream else None,
                "fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,
            } if video_stream else None,
            "audio": {
                "codec": audio_stream.get("codec_name") if audio_stream else None,
Confidence
99% confidence
Finding
"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The helper unconditionally prepends -y to ffmpeg commands, forcing overwrite of destination files without confirmation. In an agent or automation context, this increases the chance of destructive file clobbering if output paths are mistaken, attacker-influenced, or point to valuable existing files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
skill.py:319