Back to skill
Skillv1.0.2
VirusTotal security
Video Proof · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:38 AM
- Hash
- 0ce934dabf5d7915c9f7497ec9b74d29e8e959158c559acd75973390846c7628
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-proof Version: 1.0.2 The skill bundle is suspicious due to a critical shell injection vulnerability. Both `scripts/api-proof.js` and `scripts/record-proof.js` directly execute the `start_command` from the `proof-spec.yaml` (or CLI arguments) using `spawn('sh', ['-c', spec.start_command])`. This allows arbitrary shell commands to be executed, leading to Remote Code Execution (RCE) if a malicious `proof-spec.yaml` is provided by an agent or user. Additionally, `scripts/setup.sh` uses `sudo` for installing dependencies, which, while intended for legitimate purposes, represents a privilege escalation capability.
- External report
- View on VirusTotal