Back to skill
Skillv2.1.0
VirusTotal security
Melies · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:40 AM
- Hash
- 3de6b923944309ad5c160cd5e1f5191f4a65cd18586753048bd5aa2fe378755b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: melies Version: 2.1.0 The Melies CLI skill bundle is classified as suspicious due to significant security vulnerabilities that could be exploited via prompt injection. Specifically, the login command in src/commands/login.ts (and the compiled dist/index.js) is vulnerable to shell injection because it incorporates the MELIES_API_URL environment variable into a child_process.exec call without sanitization. Additionally, multiple commands including image, video, and pipeline (src/commands/image.ts, src/commands/video.ts, src/commands/pipeline.ts) allow arbitrary file writes via the --output flag without path validation, potentially enabling the overwriting of sensitive system files. While these appear to be unintentional vulnerabilities rather than intentional malware, they pose a high risk in an autonomous agent environment.
- External report
- View on VirusTotal