Back to skill
Skillv0.1.3
VirusTotal security
Voice.ai: Creator Voiceover Forge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:43 AM
- Hash
- 3792e83044d7cb9c7a3dfa490744d75a04d8d848b8b7bc5beb220fffab75426f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: voiceai-voiceover-creator Version: 0.1.3 The skill is classified as suspicious due to multiple shell injection vulnerabilities in `src/ffmpeg.ts`. User-controlled input paths (e.g., `--video`, `--audio`, `--out`) are directly interpolated into commands executed via `child_process.execFile` and, more critically, embedded into generated shell scripts (`replace-audio.sh`, `replace-audio.ps1`). An attacker could craft malicious input (e.g., `--video 'foo.mp4; rm -rf /'`) which would be executed if the user runs the generated scripts, or potentially via direct `ffmpeg` execution depending on argument parsing. There is no evidence of intentional malice, but the lack of input sanitization creates a severe remote code execution risk.
- External report
- View on VirusTotal