Back to skill
Skillv3.3.2
VirusTotal security
Anima · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:47 AM
- Hash
- c3b337b70de077c93e45e18e02c5dcce8b6d81f6d9c415d8943037f93fde2a22
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: anima Version: 3.3.2 The skill is classified as suspicious due to multiple shell injection vulnerabilities. Specifically, `run.js` passes the user-controlled `--target` argument directly into an `execSync` call to `src/send_video_pro.js` without sanitization. `src/send_video_pro.js` then interpolates this `TARGET_ID` directly into a `curl` command, creating a clear shell injection risk. Additionally, `src/director.js` has a fallback mechanism using the macOS `say` command, where user-provided `text` is interpolated into an `execSync` call, posing another shell injection vulnerability. There is no evidence of intentional malicious behavior like data exfiltration or persistence, but these flaws could be exploited for arbitrary command execution.
- External report
- View on VirusTotal