Back to skill
Skillv1.0.1
VirusTotal security
Video Proof · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:44 AM
- Hash
- b62b17d461db359c29cdf898f928822e1909dabdaac381ada51ec0f895e7b204
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-proof-skill Version: 1.0.1 The skill is highly suspicious due to its design allowing arbitrary shell command execution and broad network access. Both `scripts/record-proof.js` and `scripts/api-proof.js` execute user-provided `start_command` values directly via `spawn('sh', ['-c', ...])`, which is a critical Remote Code Execution (RCE) vulnerability. The `SKILL.md` and `references/proof-spec.md` explicitly instruct an AI agent to generate this `start_command` based on its task, creating a direct prompt injection vector for RCE. Additionally, `scripts/setup.sh` uses `sudo` for dependency installation, and `scripts/api-proof.js` can make arbitrary HTTP/HTTPS requests, further increasing the attack surface.
- External report
- View on VirusTotal