Back to skill
Skillv2026.3.5
VirusTotal security
Qcut Video Edit · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:56 AM
- Hash
- 0ab7dca1ba90c115f902bf2d474697b0881b527c3a3cb08a6d9a0f97ae9949c8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qcut-video-edit Version: 2026.3.5 The skill bundle is classified as suspicious due to several high-risk capabilities and potential vulnerabilities exposed through its commands. Specifically, the `bun run pipeline get-key --name <name> --reveal` command (documented in `reference-pipelines.md`) allows direct retrieval of sensitive API keys stored locally. Additionally, the 'Notification Bridge' feature (documented in `editor-state-control.md`) enables forwarding of user actions from the QCut application to the Claude PTY session, posing a privacy risk through potential monitoring. Furthermore, commands accepting arbitrary URLs (e.g., `--image-url`, `--url` in `REFERENCE.md`, `editor-media.md`) and HTML content (e.g., `--html` in `editor-output.md`) could lead to SSRF/LFI or XSS vulnerabilities in the underlying QCut application if not properly sanitized. While these are documented features, they represent significant security risks if misused or exploited, indicating a suspicious rather than benign nature, without clear evidence of intentional malicious exfiltration or backdoor installation by the skill itself.
- External report
- View on VirusTotal