← Back to Directory

Video Frames

Scanned on 2/7/2026

⚠️45/100high

Script has command injection vulnerabilities through unsanitized user inputs passed to ffmpeg and mkdir commands, allowing arbitrary command execution.

Trust Score
45/100
Risk Level
high
Issues Found
5

Security Analysis

This script has critical security vulnerabilities despite some good practices. The main issues are: (1) The 'index' parameter is directly interpolated into an ffmpeg filter expression without validation, allowing command injection via shell metacharacters. (2) The 'time' parameter is passed unsanitized to ffmpeg's -ss flag. (3) The 'out' parameter can contain path traversal sequences or command injection attempts through the mkdir and ffmpeg commands. An attacker could exploit these by providing malicious inputs like: --index '0);$(malicious_command);echo $(' or --out '/tmp/file.jpg;malicious_command;'. While the script uses quotes around variables (good practice), it doesn't validate input format or content. The script also allows unrestricted filesystem access to read any video file and write anywhere. To be production-safe, all user inputs must be validated against strict patterns (regex for index as digits only, time as HH:MM:SS format, output path within allowed directories). The trust score of 45 reflects critical command injection risks that could lead to arbitrary code execution.

Security Findings

critical - code-execution

Command injection vulnerability in index parameter - user input is directly interpolated into ffmpeg filter without sanitization

Evidence:

-vf "select=eq(n\\,${index})"
Recommendation: Validate that index is a positive integer using regex: [[ "$index" =~ ^[0-9]+$ ]] before use
critical - code-execution

Command injection vulnerability in time parameter - unsanitized input passed to ffmpeg -ss flag

Evidence:

-ss "$time"
Recommendation: Validate time format matches HH:MM:SS pattern: [[ "$time" =~ ^[0-9]{2}:[0-9]{2}:[0-9]{2}$ ]]
high - code-execution

Path traversal and command injection in out parameter - arbitrary paths can be created and used without validation

Evidence:

mkdir -p "$(dirname "$out")" and ffmpeg ... "$out"
Recommendation: Validate output path is within allowed directory, sanitize to prevent path traversal (../) and command injection
high - filesystem

Unrestricted file system access - script can read any video file and write to any location the user has permissions for

Evidence:

if [[ ! -f "$in" ]]; then ... fi and mkdir -p "$(dirname "$out")"
Recommendation: Restrict input/output paths to specific allowed directories, implement whitelist validation
medium - code-execution

Arbitrary ffmpeg execution - while quoted, ffmpeg processes user-controlled file paths which could exploit ffmpeg vulnerabilities

Evidence:

ffmpeg ... -i "$in" ... "$out"
Recommendation: Consider running ffmpeg in a sandboxed environment or container with limited permissions

✅ Good Security Practices

  • Uses 'set -euo pipefail' for safer error handling
  • Variables are quoted to prevent word splitting
  • Checks if input file exists before processing
  • Uses -hide_banner and -loglevel error to reduce output verbosity
  • Provides clear usage documentation

Source Information

ClawHub Page:clawhub.com/skills/video-frames
Source URL:/opt/homebrew/lib/node_modules/openclaw/skills/video-frames
Code Size:1,377 characters
Semgrep Findings:0