Trust Assessment
video-frames received a trust score of 72/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via unsanitized index parameter in ffmpeg filtergraph.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized index parameter in ffmpeg filtergraph The 'index' parameter, provided by the user via `--index`, is directly interpolated into an ffmpeg video filter (`-vf`) string without proper sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious 'index' value (e.g., `0); malicious_command; #`), which will be executed by the shell before ffmpeg is invoked. This leads to remote code execution. Implement strict validation for the 'index' parameter to ensure it contains only numeric characters. For example, add a check like `[[ "$index" =~ ^[0-9]+$ ]]` before using the variable. If validation fails, the script should exit with an error. This prevents shell metacharacters from being interpreted as commands. | LLM | scripts/frame.sh:68 |
Scan History
Embed Code
[](https://skillshield.io/report/536e79c8b57af9fb)
Powered by SkillShield