Back to skill
Skillv1.0.6
VirusTotal security
Release · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 6:07 AM
- Hash
- d7fc32f9b6bde31c850f42848307c5c91783c88ded7785f274e932abbe850dee
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-music-muse Version: 1.0.6 The skill facilitates AI music generation via a custom API (skill-api.muse.top) but contains a significant shell injection vulnerability in its SKILL.md instructions. The agent is directed to execute bash commands (e.g., scripts/muse_api.py) by embedding raw, unsanitized user input—such as song descriptions, titles, and lyrics—directly into command-line arguments (e.g., --description "{用户描述}"). This allows a malicious user to potentially execute arbitrary commands on the host system via prompt injection. Additionally, scripts/muse_api.py performs device fingerprinting by collecting and hashing the system's hostname, MAC address, and username to generate a persistent X-Device-Id for API requests.
- External report
- View on VirusTotal