Back to skill
Skillv1.0.17
VirusTotal security
字幕菌 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:15 AM
- Hash
- c94c8c7166b90965ed57cd8dc1dba183e064f2647190d287574c5e5fb1101baa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: zimujun Version: 1.0.17 The skill utilizes `npx --yes zimujun@latest` in `SKILL.md` to dynamically download and execute code from npm at runtime, which introduces a supply chain risk. Furthermore, the instructions explicitly direct the AI agent to solicit the `ZMJ_API_KEY` from the user within the chat interface if it is missing, encouraging risky credential-handling practices. While these actions are aligned with the tool's stated purpose of subtitle extraction via a third-party service (devtool.uk), the combination of dynamic remote execution and active credential solicitation warrants a suspicious classification.
- External report
- View on VirusTotal