video-trim
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill is designed to generate and execute bash commands using
ffmpegandffprobebased on user input. - Ingestion points: The agent accepts an
$INPUT_FILEpath and various user-defined parameters (start time, end time, CRF values, output paths). - Capability inventory: The skill uses
ffprobeto read file metadata andffmpegto write new video files. - Evidence: Templates such as
ffprobe ... "$INPUT_FILE"andffmpeg -ss START -to END -i "INPUT" -c copy "OUTPUT"are used to build commands. - Risk: Although the templates use double quotes, malicious filenames (e.g.,
video"; touch /tmp/pwned; ") could potentially lead to command injection depending on how the underlying system shell processes the strings provided by the agent. - [DATA_EXFILTRATION] (LOW): The skill reads local file metadata and displays it to the user.
- Evidence:
ffprobe -v error -show_entries format=duration,size,bit_rate -show_entries stream=codec_name,width,height,r_frame_rate -of json "$INPUT_FILE". - Risk: While the metadata requested is technical (codec, duration, size), an attacker could attempt to point the tool at sensitive files to confirm their existence or basic properties, though actual file content extraction is not a primary feature.
Audit Metadata