The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/build_showcase.sh contains a command injection vulnerability due to unsafe variable expansion. The $INPUTS variable, which is constructed from filenames found in the target directory, is passed to the shell unquoted during the final ffmpeg execution. If a file with a name containing shell metacharacters (e.g., ;, &, or backticks) is present in the directory, it will lead to arbitrary command execution when the script is run.
[COMMAND_EXECUTION]: The documentation in SKILL.md provides an example for concatenating video segments using the ffmpeg -safe 0 flag. This flag disables security restrictions that prevent ffmpeg from accessing files with absolute paths or files outside the current directory, which can be exploited for unauthorized file access if the input file list is sourced from untrusted data.
[COMMAND_EXECUTION]: The shell script uses an environment variable for the binary path (FFMPEG="${FFMPEG:-ffmpeg}") which is then executed. If an attacker can influence the environment in which the agent executes the script, they can redirect the execution to a malicious binary.

showcase-video-builder