The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/overlay.ts executes ffmpeg and ffprobe using the Bun shell. Although argument escaping is handled, the script permits processing of arbitrary file paths provided via command-line arguments without restriction.
[COMMAND_EXECUTION]: The execution path for the ffmpeg binary can be overridden through the FFMPEG_BIN environment variable in scripts/overlay.ts. This pattern could be exploited to redirect execution to a malicious binary if the execution environment is compromised.
[COMMAND_EXECUTION]: There is a potential for FFmpeg filtergraph injection in scripts/overlay.ts. The fontDir parameter is concatenated into the FFmpeg filter string without sanitizing internal filter separators such as the colon (:). An attacker could provide a crafted fontDir (e.g., /path:drawtext=textfile='/etc/passwd') to inject additional filters that might read sensitive system files and render their contents into the output video.
[DATA_EXFILTRATION]: The skill can read from and write to arbitrary file system paths via the inputPath and outputPath arguments. If an agent is manipulated into 'processing' sensitive files, this capability could be used to expose system data by embedding it into a video file.
[SAFE]: The skill properly identifies its source and homepage on the author's GitHub repository, matching the expected vendor context for 'tfcbot'.

sfd-video-overlay