Is video-frames safe?

https://clawhub.ai/steipete/video-frames

95
SAFE

This is a clean, minimal utility skill that wraps ffmpeg for video frame extraction. It contains no prompt injection, no data exfiltration vectors, no suspicious clone behavior, and all canary files remain intact. The only minor finding is that the --index parameter is not validated as an integer before interpolation into an ffmpeg filter string, which is low severity.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

LOW Unsanitized --index parameter in ffmpeg filter -15

The --index argument is interpolated directly into the ffmpeg -vf select filter as eq(n,${index}) without validation that it is a non-negative integer. A crafted value could inject additional ffmpeg filter graph expressions. However, this does not escalate to shell injection (the value is already inside a quoted ffmpeg argument) and the practical impact is limited to unexpected ffmpeg behavior.

INFO Executable bash script included 0

The skill ships scripts/frame.sh, a bash script that invokes ffmpeg. This is expected and appropriate for the skill's stated purpose. The script uses strict bash settings (set -euo pipefail) and has proper argument parsing with a usage function.