Back to skill
Skillv0.1.6
VirusTotal security
Dub YouTube with Voice.ai · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 8:22 AM
- Hash
- 8851dcd0069472d69e53b6b53383562e4e4cd148993cf616655132aeadcab9f7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dub-youtube-with-voiceai Version: 0.1.6 The skill is classified as suspicious due to the presence of the `VOICEAI_API_BASE` environment variable override in `voiceai-vo.cjs` (src/api.ts) and documented in `references/VOICEAI_API.md`. While a legitimate configuration option, this allows an external actor (e.g., via prompt injection against an AI agent) to redirect API calls for text-to-speech generation to an arbitrary, potentially malicious, endpoint. This creates a clear data exfiltration vector for the user's script content, which is sent to the TTS API. Additionally, the skill executes external binaries like `ffmpeg` via `child_process.execFile`, which, while generally safer than `exec`, still represents a risky capability if not handled with extreme care or if the external binaries themselves have vulnerabilities.
- External report
- View on VirusTotal