Back to skill
Skillv1.0.2
VirusTotal security
DJ mp3 sourcer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:10 AM
- Hash
- 1a1b363f361b3e54bdfc9d8eb07982d56c369aa0ed6f9caa7c2872be6b866f01
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dj-mp3-sourcer Version: 1.0.2 The skill bundle exhibits a directory traversal vulnerability in `scripts/normalize-filenames.sh`. The script constructs target filenames for the `mv` command using artist and title information parsed from a JSON tracklist. If a malicious user provides input (e.g., via a crafted URL or prompt) that results in `artist` or `title` containing directory traversal sequences (e.g., `../`), the `mv` command could rename or move files to arbitrary locations outside the intended download directory. While this is a critical vulnerability, there is no clear evidence of intentional malicious behavior by the skill author, aligning with a 'suspicious' classification rather than 'malicious'.
- External report
- View on VirusTotal