The Agent Skills Directory

[COMMAND_EXECUTION]: The video-frames.js file contains a command injection vulnerability in the validateVideo function.\n
Evidence: It uses execSync with a template literal to execute ffprobe, directly embedding the inputFile variable: execSync(`ffprobe -v error -print_format json -show_format -show_streams "${inputFile}"`, ...). A filename containing shell metacharacters such as ; or $(...) will trigger arbitrary command execution on the host system.\n- [COMMAND_EXECUTION]: Dangerous use of the eval() function in video-frames.js.\n
Evidence: The code uses eval(videoStream.r_frame_rate) to parse the frame rate string returned by ffprobe. This allows for arbitrary code execution if the video file contains malicious metadata that influences the output of ffprobe.\n- [COMMAND_EXECUTION]: The shell scripts frame.sh, gif.sh, and thumbnails.sh use unvalidated user input in system commands.\n
Evidence: These scripts pass variables like $VIDEO and $OUT directly to ffmpeg and ffprobe. While quoted, they do not perform sufficient sanitization to prevent shell-based attacks in all environments.\n- [COMMAND_EXECUTION]: In thumbnails.sh, the script passes tool output and user-provided counts into a python3 command string for execution.\n
Evidence: INTERVAL=$(python3 -c "print($DURATION / ($COUNT + 1))"). This creates a vulnerability where malicious values in the $DURATION or $COUNT variables could result in arbitrary code execution within the Python interpreter.

video-frames