Back to skill
Skillv1.0.0
VirusTotal security
Traktor Web Scraper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:12 AM
- Hash
- a920ea73a163d260dfc03c31508c0778702842e4a6b74d269a69b24bd04af598
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: traktor Version: 1.0.0 The skill is suspicious due to multiple potential shell injection vulnerabilities. In SKILL.md, Step 2, the `mkdir` command uses `{site-name}` derived from user-provided URLs without explicit sanitization, posing a risk if a malicious URL is crafted. More critically, in Step 3, Phase 4, the `curl` commands for downloading assets construct filenames using `{descriptive-name}` which is explicitly stated to come from 'alt text or context' of the scraped website. If this untrusted website content is directly inserted into the `curl` command without sanitization, it creates a severe shell injection vulnerability, allowing arbitrary command execution on the agent's host system.
- External report
- View on VirusTotal