Back to skill
Skillv1.0.0
VirusTotal security
BT Download · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:15 AM
- Hash
- fde14bfbb132c5afb574587aec3ef849e457e70018c0056e235c9dacdc2229a0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bt-download Version: 1.0.0 The skill bundle provides BitTorrent management functionality via aria2 but contains several high-risk vulnerabilities. In `plugin.ts`, the `bt_start_rpc` tool is vulnerable to shell command injection because the `downloadDir` parameter is interpolated directly into a command string without sanitization. Additionally, the `bt_download` tool allows for arbitrary file reading if a user-provided path ends in `.torrent`, and the `bt_install_aria2` tool executes high-privilege `sudo apt-get` commands. While these capabilities are aligned with the stated purpose, the lack of input validation and the use of broad permissions pose a security risk.
- External report
- View on VirusTotal