Back to skill
Skillv1.0.1
VirusTotal security
Youtube Hq Downloader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:52 AM
- Hash
- d1f33cb30faa1a2a0cede8b246e7f8e86b69f9e83f82f2f3dee32ccc4cab1ac9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: youtube-hq-downloader Version: 1.0.1 The skill is classified as suspicious due to critical shell injection vulnerabilities in both `download.sh` and `download.py`. In `download.sh`, the `ls ${OUTPUT_NAME}_video.*` command uses an unsanitized user-controlled `OUTPUT_NAME` variable, allowing arbitrary command execution. In `download.py`, the use of `subprocess.run(..., shell=True)` and `os.system()` with f-strings embedding user-controlled `url` and `output_name` variables, even when quoted, presents a high risk of shell injection if the inputs contain malicious characters that can break out of the quotes. These vulnerabilities could lead to arbitrary code execution on the agent's host machine, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration or backdoors), classifying it as a vulnerability rather than malware.
- External report
- View on VirusTotal