Back to skill
Skillv1.0.0
VirusTotal security
bizyair-video · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 7:01 AM
- Hash
- 9ad877a347232212586898050d1df179564289b5733c296a6cd6a2c34374e1f0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bizyair-video Version: 1.0.0 The skill bundle provides tools for video generation and image manipulation via the BizyAir API, but it contains critical command injection vulnerabilities in its shell scripts. Specifically, `scripts/create_video_task.sh` and `scripts/create_angle_task.sh` use unquoted heredocs (`cat <<EOF`) to construct JSON payloads using unsanitized user-controlled variables like prompts and URLs. This allows for arbitrary shell command execution if a payload contains sequences like `$(...)` or backticks. While the behavior appears aligned with the stated purpose and no clear evidence of malicious intent or data exfiltration was found, the high-risk nature of these vulnerabilities warrants a suspicious classification. The scripts communicate with the domain api.bizyair.cn.
- External report
- View on VirusTotal