The Agent Skills Directory

[COMMAND_EXECUTION]: In the script video_editor.py, the eval() function is used to calculate the fps value from the r_frame_rate metadata field returned by ffprobe. Using eval() on data that originates from external files is an unsafe practice that can lead to arbitrary code execution if the input metadata is maliciously crafted.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes untrusted video files without adequate sanitization of the extracted metadata.
Ingestion points: The get_video_info function in video_editor.py extracts metadata from video files via ffprobe.
Boundary markers: No validation or boundary markers are used to isolate the metadata from the execution environment.
Capability inventory: The skill can execute various system commands and scripts via subprocess.run, providing an execution path for code injected via eval().
Sanitization: The use of eval() represents a complete lack of sanitization for the frame rate metadata field, where safer alternatives like a dedicated fraction parser should have been used.

video-processing-editing