Back to skill
Skillv1.0.0
VirusTotal security
Douyin DL · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:59 AM
- Hash
- 35ecd0d734a8e493fd2d36ccbf053ef66e7e3c17aa3baa4744188c9b0ececca6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: douyin-dl Version: 1.0.0 The skill contains a critical shell injection vulnerability in `scripts/douyin_download.py` due to the use of `subprocess.run(shell=True)` with unsanitized user input (the URL and output path). While the script's logic and `SKILL.md` instructions align with the stated purpose of downloading videos via a headless browser, the insecure command construction allows for arbitrary code execution if a crafted URL is provided. No clear evidence of intentional malice or data exfiltration was found.
- External report
- View on VirusTotal