Back to skill
Skillv0.1.1
VirusTotal security
Download Anything · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:16 AM
- Hash
- c3863fc28ed9df6a02e34dff1f41e6295b2860f2817a49f095e79ea305e0669d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: download-anything Version: 0.1.1 The skill is classified as suspicious due to several high-risk capabilities and potential vulnerabilities, despite its stated purpose of downloading digital resources. Key indicators include the use of `yt-dlp --cookies-from-browser` in `scripts/dl-video.sh`, which grants the skill access to the user's browser session cookies for authenticated downloads. Additionally, `scripts/dl-gallery.sh` passes arbitrary extra arguments to `gallery-dl`, posing a potential shell injection vulnerability if `gallery-dl` supports dangerous execution arguments. The documentation (`references/*.md`) also explicitly directs the agent/user to 'shadow libraries,' torrent sites, and DDL sites, which are often associated with copyright infringement and potentially malware-laden content, significantly increasing the risk surface. Finally, the `scripts/install-toolkit.sh` requires `sudo` for package installations, granting broad system access during setup.
- External report
- View on VirusTotal