Back to skill
Skillv1.0.0
VirusTotal security
music-manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:29 AM
- Hash
- 5a47b581a0527f6f999180521c9ab1c849a34da4791952cf3d410f2d010f6df4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: music-manager Version: 1.0.0 The skill facilitates music downloading via `yt-dlp` but defaults to extracting sensitive browser cookies (`--cookies-from-browser chrome`) and lacks input sanitization on the `category` parameter in `scripts/download_music.py`. This creates a path traversal vulnerability where a crafted category name (e.g., using `../`) could allow the script to write files to unauthorized locations on the filesystem. While these features are documented, the combination of sensitive data access and weak input validation poses a risk in an automated agent environment.
- External report
- View on VirusTotal