Back to skill
Skillv1.0.0
VirusTotal security
M3U8 Downloader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:05 AM
- Hash
- b11cd2a77e5a234a56a63cc435afe53a2ad6b44204e13fdfe8489470894a081f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: m3u8-downloader Version: 1.0.0 The skill's stated purpose is benign, but the `scripts/download.sh` script contains a critical shell injection vulnerability. The `OUTPUT_NAME` variable, derived directly from user input, is used unsanitized in `ffmpeg` commands. This allows an attacker to inject arbitrary shell commands, leading to remote code execution. There is no evidence of intentional malicious behavior like data exfiltration or persistence, classifying it as a severe vulnerability rather than malware.
- External report
- View on VirusTotal