Back to skill
Skillv1.0.6
VirusTotal security
Release · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 6:07 AM
- Hash
- a7cb05b202ce2a45377bead65aee4cda9902bebd474090d2249bffb599c4f282
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: muse-ai Version: 1.0.6 The skill bundle contains a high-risk command injection vulnerability in SKILL.md, where the AI agent is instructed to execute a bash command using unsanitized user input (the JWT token) via `scripts/register.py verify --token {content}`. Additionally, `scripts/muse_api.py` performs system fingerprinting by collecting the local username, hostname, and MAC address to generate a device ID (X-Device-Id) for API requests to `https://skill-api.muse.top`. While these behaviors are functionally linked to the music generation service, the combination of system tracking and the potential for remote code execution via the agent's command-line interface poses a security risk.
- External report
- View on VirusTotal