Back to skill
Skillv0.1.0
VirusTotal security
Parakeet Local Asr · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:22 AM
- Hash
- d1b786069d2b2957415530fd74facaa8163f7ce43bd3ba980246f2b6b7d80c88
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: parakeet-local-asr Version: 0.1.0 The skill bundle is suspicious due to several scripts allowing critical environment variables to override default paths and URLs, leading to potential remote code execution (RCE) and data exfiltration vulnerabilities. Specifically, `scripts/bootstrap.sh` and `scripts/start.sh` execute external code from a GitHub repository whose URL can be controlled by `PARAKEET_REPO_URL`. Furthermore, `scripts/smoke-test.sh` uploads a local file to a URL that can be controlled by `PARAKEET_URL`, creating a significant risk for data exfiltration if an attacker can manipulate these environment variables. The `SKILL.md` itself does not contain malicious prompt injection.
- External report
- View on VirusTotal