Back to skill
Skillv1.0.0
VirusTotal security
mar-douyin-hot-trend · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 3:41 AM
- Hash
- b27ec6b867cb3075a3dede87ba5d77ad3c307eafaa6af10e906802ec3e99c14e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mar-douyin-hot-trend Version: 1.0.0 The skill bundle contains a command injection vulnerability in 'scripts/get-hot-trend.js', where the 'limit' argument from 'process.argv[2]' is passed directly into 'execSync' without sanitization. Additionally, 'cron-job.js' contains a hardcoded Telegram chat ID (8428610733) for data delivery, which is unusual for a generic skill. While the primary logic of scraping Douyin trends via the SkillBoss API (api.heybossai.com) aligns with the stated purpose, these implementation flaws pose a security risk.
- External report
- View on VirusTotal