The Agent Skills Directory

[COMMAND_EXECUTION]: The ffmpeg.js file uses execSync with string interpolation to execute shell commands for disk space checks and media probing. In checkDiskSpace, the dir variable is interpolated into a df command string, and in getMediaInfo, the inputFile is interpolated into an ffprobe command. Since these values are derived from user-provided file paths, an attacker can execute arbitrary shell commands by using filenames containing shell metacharacters like ;, &, or backticks.
[COMMAND_EXECUTION]: The ffmpeg.js script uses the eval() function on the r_frame_rate value extracted from ffprobe output. If a malicious media file is crafted so that ffprobe returns a string containing JavaScript code as the frame rate, that code will be executed with the privileges of the Node.js process.
[COMMAND_EXECUTION]: The shell scripts info.sh and compress.sh use python3 -c to perform calculations and formatting. They interpolate shell variables like $DURATION, $BITRATE, and $FPS directly into the Python command string. For example, in info.sh, variables are placed inside single quotes (e.g., float('$DURATION' or 0)). An attacker providing a file that causes ffprobe to return a string containing a single quote followed by Python commands could achieve arbitrary code execution.

ffmpeg-tools