Back to skill
Skillv1.0.0
VirusTotal security
Bilibili Downloader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:41 AM
- Hash
- 057408dba22a26fe3b8384569dc412a1f90ccdef30c5f1d8627d172a918c34bf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bilibili-downloader Version: 1.0.0 The skill bundle is designed for downloading Bilibili content, which aligns with its stated purpose. However, the Python scripts (`scripts/*.py`) accept user-controlled `output_path` arguments directly from `sys.argv` and use them in `os.makedirs` and `os.path.join` without robust sanitization or validation. While filenames derived from video titles are partially sanitized (truncation, replacing '/'), the `output_path` itself could be manipulated by a malicious user or an exploited agent to write files to arbitrary locations on the filesystem (e.g., `/etc/passwd`), leading to a local file write vulnerability. This is a high-risk capability without clear malicious intent, classifying it as suspicious rather than benign. There is no evidence of data exfiltration, backdoors, or prompt injection against the agent.
- External report
- View on VirusTotal