Back to skill

Security audit

Openclaw Skill Cutmv Video Tool

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate FFmpeg video tool, but it needs review because unsafe metadata parsing could execute code and outputs overwrite files by default.

Install only if you are comfortable reviewing or patching the code first. Avoid running it on untrusted media until eval is replaced with strict numeric fraction parsing, use explicit output paths in non-sensitive folders, and assume existing files at output paths may be overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

eval() call detected

High
Category
Dangerous Code Execution
Content
"codec": video_stream.get("codec_name") if video_stream else None,
                "width": video_stream.get("width") if video_stream else None,
                "height": video_stream.get("height") if video_stream else None,
                "fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,
            } if video_stream else None,
            "audio": {
                "codec": audio_stream.get("codec_name") if audio_stream else None,
Confidence
99% confidence
Finding
"fps": eval(video_stream.get("r_frame_rate", "0/1")) if video_stream else None,

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The wrapper forces FFmpeg overwrite mode with '-y' for all operations, which can silently destroy existing files if a user supplies an existing path or a path is constructed incorrectly. In an agent or automated workflow context, that increases the likelihood of unintended data loss because no confirmation barrier exists.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
skill.py:319