Back to skill
Skillv1.0.0
VirusTotal security
Dual-Host Daily Podcast Generator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:58 AM
- Hash
- a0d318b1dd880a48f0186e9eebd3435f3cf062c9672cc591c52bbd4b56673365
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dz-podcast Version: 1.0.0 The skill bundle contains critical shell injection vulnerabilities within `scripts/generate_episode.sh`. Specifically, the `date -d "${DATE}"` command allows arbitrary command execution if the `$DATE` variable is controlled by an attacker, and the `sed` command embedding `$NEW_ITEM` is also vulnerable to injection. These flaws could lead to Remote Code Execution (RCE) if an attacker can influence the inputs (e.g., podcast title, description, or date) provided to the script, either directly or via prompt injection against the OpenClaw agent. While the overall intent of the skill (podcast generation) appears benign, these severe vulnerabilities classify it as suspicious due to the high risk of exploitation.
- External report
- View on VirusTotal