Back to skill
Skillv1.4.1
VirusTotal security
Podcast Transcribe · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:27 AM
- Hash
- f407c1b9c100901d6a463044984034897b422638d21e08ac5a29e050fb446a39
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: podcast-transcribe Version: 1.4.1 The skill bundle is classified as suspicious because it requests broad, high-risk permissions and includes instructions that could lead to the exposure of sensitive credentials. Specifically, SKILL.md grants unrestricted network access via Bash(curl:*) and the ability to execute packages via npx, while references/inputs-and-engines.md encourages the agent to run printenv on sensitive API keys (e.g., ELEVENLABS_API_KEY) for debugging. Although these capabilities are plausibly needed for fetching and transcribing podcast content, the unrestricted nature of the permissions and the potential for secret leakage through command output represent significant security vulnerabilities without clear evidence of malicious intent.
- External report
- View on VirusTotal