Back to skill
Skillv1.0.1
VirusTotal security
acestep-lyrics-transcription · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:52 AM
- Hash
- 753ef754f262b8175fbf254e8aea0031b5c2f07ccf29fcf049079952d28e5d28
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: acestep-lyrics-transcription Version: 1.0.1 The skill is classified as suspicious due to multiple command injection vulnerabilities in `scripts/acestep-lyrics-transcription.sh`. Specifically, the `set_config` function is vulnerable to `jq` injection, allowing an attacker to manipulate the `config.json` file via crafted input. Additionally, the `curl` commands for API calls and the embedded Python scripts for format conversion directly interpolate user-controlled arguments (`--audio`, `--language`) and file paths without robust shell or Python escaping, creating potential for arbitrary command execution. While the `SKILL.md` explicitly instructs the agent *not* to read or display API keys, these vulnerabilities could be exploited by a malicious user to achieve unauthorized actions, despite the skill's stated purpose being benign.
- External report
- View on VirusTotal