Back to skill
Skillv1.0.0
VirusTotal security
Feishu Video Editor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 21, 2026, 4:16 PM
- Hash
- 192a6c3f98d2d4193895fefc5afaefdc48fd263b2c4f590b0193b4b000a4a072
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: feishu-video-editor Version: 1.0.0 The skill contains a significant shell injection vulnerability in `src/index.ts` within the `runPythonScript` function, where user-provided arguments (such as file paths and timestamps) are concatenated into a shell command string and executed via `child_process.exec` without sanitization. While the Python backend (`src/video_processor.py`) uses safer `subprocess.run` list-based calls for FFmpeg, the TypeScript entry point's use of a raw shell string allows for arbitrary command execution. The functionality itself (video editing via FFmpeg and Whisper) appears legitimate and aligned with the documentation, but the lack of input validation makes it highly vulnerable.
- External report
- View on VirusTotal