Back to skill
Skillv1.2.0
VirusTotal security
Video App · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:25 AM
- Hash
- 089af0cb19ced10b09a896cdf4ee892b8ff6c12cd0df6561599cfc76f00fa830
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vibeclip Version: 1.2.0 The skill is classified as suspicious due to a prompt injection vulnerability against the local Ollama LLM in `index.js`. The user-provided `prompt` is directly interpolated into the `ollama.chat` message, allowing an attacker to manipulate the LLM's output and potentially generate unintended or harmful content. While the use of `child_process.spawn` for FFmpeg is implemented securely with an array of arguments, mitigating direct shell injection, the LLM prompt injection represents a significant vulnerability in the AI interaction, even if it does not directly lead to host compromise or data exfiltration.
- External report
- View on VirusTotal