Back to skill
Skillv1.1.0
VirusTotal security
抖音视频智能助手 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:36 AM
- Hash
- cdc361ca2db2044f57e30962ea75917b743297893d80042350b334d3a7851a74
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: douyin-transcribe-skill Version: 1.1.0 The skill bundle provides legitimate functionality for transcribing Douyin videos but contains a high-risk command injection vulnerability. In `scripts/transcribe.js`, the `runCommand` function uses `execSync` with unsanitized string interpolation, which could allow arbitrary command execution if a user provides a specially crafted URL or file path. While the behavior aligns with the stated purpose and no evidence of intentional malice or data exfiltration (beyond sending audio to configured STT providers) was found, the lack of input sanitization in shell execution qualifies it as suspicious.
- External report
- View on VirusTotal