Back to skill
Skillv0.1.0
VirusTotal security
Video To Text · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:53 AM
- Hash
- eb4f981d023da977bb9fe6d9d0e7f1f1cf5cfac054f83482b69b66d8822812bc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-to-text-2 Version: 0.1.0 The skill is classified as suspicious due to its use of `subprocess.run` to execute external commands (`yt-dlp`), which, while necessary for its stated purpose, introduces a potential for shell or argument injection if the OpenClaw agent does not properly sanitize user-provided URLs or file paths before execution. Additionally, the script handles sensitive Bilibili authentication credentials (SESSDATA, bili_jct, buvid3) by allowing them to be passed as command-line arguments or stored in a global variable within `scripts/video_to_text.py`, which is a vulnerability in credential management that could lead to exposure. The `SKILL.md` itself does not contain malicious prompt injection but outlines a `bash` command usage that could be exploited by an agent if user input is directly interpolated.
- External report
- View on VirusTotal