Back to skill
Skillv1.0.0
VirusTotal security
Video Download FaaS · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:17 AM
- Hash
- 0d2e46991b95009affbcc9f7d79109daf630dee83808c60f39d373ef5643969b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-download-faas Version: 1.0.0 The skill bundle contains multiple critical shell injection vulnerabilities across all three scripts. In `scripts/download.sh`, the `output_directory` parameter is directly interpolated into `mkdir -p` and `yt-dlp -o`, allowing arbitrary command execution. In `scripts/check-status.sh` and `scripts/kill-download.sh`, the `session_id` parameter is directly used in file paths for commands like `cat`, `grep`, `sed`, `ls`, and `rm`, leading to shell injection. These flaws enable an attacker to execute arbitrary commands on the host system, but there is no evidence of intentional malicious behavior within the provided code, classifying it as suspicious due to severe vulnerabilities.
- External report
- View on VirusTotal