Back to skill
Skillv1.0.0
VirusTotal security
ACE-Step Music Generation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:00 AM
- Hash
- 2a69ef303b26434d93363f28ba89efc8d0a309e961f9a5a0236d2b0430fa00f5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ace-step-music Version: 1.0.0 The skill bundle is classified as suspicious due to multiple instances of potential command/code injection vulnerabilities across several scripts. Specifically, `ace-step-agent.sh`, `ace_step_agent_server.py`, `ace_step_skill.py`, `feishu_music_sender.py`, `generate_and_send.sh`, and `generate_and_send.py` construct shell commands or Python scripts by directly interpolating user-controlled input (like `prompt` or `output_path`) without proper sanitization. This allows for arbitrary code execution if an attacker provides specially crafted input, for example, in `ace_step_agent_server.py` via `subprocess.run(cmd, shell=True)` and in Python scripts via f-string interpolation into `exec` or `subprocess` calls. There is no clear evidence of intentional malicious behavior such as data exfiltration or persistence, but these vulnerabilities pose a significant risk.
- External report
- View on VirusTotal