Back to skill
Skillv1.0.0
VirusTotal security
YouTube Transcript Generator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 27, 2026, 4:46 AM
- Hash
- 05f503e892653460482937de925e3f871c7cc1bf6a138a57f1e280751a6e16b6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: youtube-transcript-generator Version: 1.0.0 The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `scripts/get_transcript.sh`. The script directly interpolates the user-provided second argument (intended as an output filename) into shell commands like `python3 -c "..." > "$OUTPUT"`, `wc -l < "$OUTPUT"`, `wc -w < "$OUTPUT"`, and `cat "$OUTPUT"`. This allows an attacker to inject arbitrary shell commands by crafting a malicious output filename, leading to remote code execution. While the script's stated purpose is benign, this vulnerability poses a significant security risk.
- External report
- View on VirusTotal