Back to skill
Skillv1.0.1
VirusTotal security
DJ set ripper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:11 AM
- Hash
- 0d2a47319d41a56f08c2721191fc10dcbdb6f10871a79b1bfd75a276dc814758
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dj-set-ripper Version: 1.0.1 The `dj-set-ripper` skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/normalize-filenames.sh`. The script uses `ARTIST` and `TITLE` variables, which are derived from untrusted user input (via LLM parsing of a DJ set description), without proper sanitization. These unsanitized variables are passed to `echo` commands piped to `awk`, `xargs`, `tr`, and `sed`, and are also used to construct the target filename for the `mv` command. This allows a malicious user to potentially achieve remote code execution by crafting a DJ set description that, when parsed, injects shell metacharacters into the artist or title fields.
- External report
- View on VirusTotal