Back to skill
Skillv1.0.0
VirusTotal security
XHS Video Downloader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:48 AM
- Hash
- cfa8a1449f6eea80386192e0905a979191fcd73e4fafda94827fbd6309ecd173
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xhs-video-downloader Version: 1.0.0 The skill's stated purpose of downloading Xiaohongshu videos is legitimate. The `SKILL.md` instructions for the AI agent are clear and do not show signs of prompt injection or malicious intent. However, the `scripts/download_video.py` file contains a path traversal vulnerability. The script constructs the output file path using user-provided `output_dir` and `--filename` arguments without sufficient sanitization, which could allow an attacker to write files to arbitrary locations on the filesystem (e.g., `../../etc/passwd`) if a malicious path is supplied via prompt injection to the agent or direct execution.
- External report
- View on VirusTotal