Back to skill
Skillv1.0.1
VirusTotal security
QCut Toolkit · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:17 AM
- Hash
- ae126646ce5af4f42b64defe15ad630602e30f0d62505b9dfa65d71966c4b0b9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qcut-toolkit Version: 1.0.1 The toolkit contains several high-risk behaviors and architectural patterns that, while functional, create significant security and privacy concerns. Most notably, 'subtitles/SKILL.md' and 'talk-edit/SKILL.md' instruct the agent to upload user audio files to 'uguu.se' (a public temporary file hosting service) to facilitate transcription via the Volcengine API. The toolkit also includes local Node.js HTTP servers ('subtitle_server.js' and 'review_server.js') that execute shell commands using 'execSync' and 'spawn', presenting a potential Remote Code Execution (RCE) surface if the local ports are exposed. Furthermore, the 'videocut/self-evolve/SKILL.md' instructions explicitly direct the AI agent to modify its own skill files and rules based on 'feedback,' which could be leveraged as a mechanism for persistence or to inject malicious instructions into the agent's logic over time.
- External report
- View on VirusTotal