Back to skill
Skillv1.0.0
VirusTotal security
Auto Clipper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- 2503367f2b8c44b6714deb37b4480c1ffc22969d4f27311f281111bb0276ad93
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: auto-clipper Version: 1.0.0 The skill exhibits several high-risk capabilities that, while potentially aligned with its stated purpose, introduce significant vulnerabilities. The primary concern is a prompt injection vulnerability identified in `SKILL.md` and `config.json`, where the `filename` from user-controlled input (watch folder) is directly incorporated into a prompt template for an external AI model (`openrouter/minimax/minimax-m2.5`). This could allow an attacker to craft malicious filenames to manipulate the AI agent's behavior. Additionally, the `scripts/auto_clipper.py` uses `subprocess.run` to execute `ffprobe` and `ffmpeg` with user-controlled `filepath` and `input_file` arguments, which presents a potential command injection vulnerability if these filenames contain malicious characters that `ffmpeg`/`ffprobe` might misinterpret. These are vulnerabilities that could be exploited, rather than clear evidence of intentional malicious behavior by the skill itself.
- External report
- View on VirusTotal