Back to skill
Skillv1.0.1
VirusTotal security
video-clip-skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:00 AM
- Hash
- c758d1bd6284e1a655355041d7ee2d01f0ee773655c863854b1e99b010c5ffb7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-clip-skill Version: 1.0.1 The skill is classified as suspicious due to multiple critical vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file system access, although there is no clear evidence of intentional malicious behavior by the skill author. Specifically, the `SKILL.md` instructions for the AI agent involve executing shell commands (`yt-dlp`, `ffmpeg`) with user-controlled arguments (`<URL>`, `<START>`, `<END>`, `<OUTPUT_FILE>`), which presents a high risk of shell injection if the agent does not properly sanitize or quote inputs. Furthermore, the agent is instructed to generate and execute a Python script with translated text embedded, creating a code injection vulnerability if the translated content (derived from user input) is not sanitized. The skill also performs broad file system operations (reading/writing VTT and output files) that, without robust sandboxing by the agent, could allow arbitrary file manipulation. The use of `GROQ_API_KEY` is for a stated legitimate purpose (transcription) but highlights a capability that could be abused.
- External report
- View on VirusTotal