Back to skill
Skillv1.0.1
VirusTotal security
Ai Media · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:54 AM
- Hash
- 73725103d4c2c38d653eeb118c1c15172f7f8c08cefbbce07b73852f47ee43b0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-media Version: 1.0.1 Multiple shell scripts (`scripts/audio.sh`, `scripts/talking-head.sh`, `scripts/image.sh`, `scripts/video.sh`) directly interpolate user-provided arguments (e.g., `$TEXT`, `$PROMPT`, `$LANG`) into Python scripts executed remotely via SSH. This creates a Remote Code Execution (RCE) vulnerability on the remote GPU server, as an attacker could craft input to break out of Python strings and execute arbitrary shell commands. While `scripts/image.sh` and `scripts/video.sh` (for 'animatediff' model) currently only print the workflow JSON, the RCE vulnerability is present in the design. The use of environment variables for SSH connection details (`SSH_KEY_NAME`, `GPU_USER`, `GPU_HOST`) also presents a risk if not securely controlled by the agent.
- External report
- View on VirusTotal