Back to skill
Skillv1.0.0
VirusTotal security
lgCapture · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:32 AM
- Hash
- af3a602db7797b94dfe18cce5c92d8a49fe2d40b75ca21db813d540b581fa0fb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lgcapture Version: 1.0.0 The skill bundle contains a script, `download.py`, which has a path traversal vulnerability. This script accepts an optional `output_file` argument from `sys.argv[2]` and uses it directly in `open(output_file, 'wb')` without any sanitization. Although the `SKILL.md` instructions guide the agent to use `douyin.py` (which is benign and writes only to `/tmp/`), the presence of `download.py` in the bundle means an attacker could potentially use prompt injection to instruct the agent to execute `download.py` with a malicious `output_file` path (e.g., `../../../../etc/passwd`), leading to arbitrary file write. This is a vulnerability that could be exploited, making the skill suspicious.
- External report
- View on VirusTotal