Back to skill
Skillv1.0.0
VirusTotal security
Aura Video · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:06 AM
- Hash
- 65ffd153dd64775af2c595b4fb6a53d7a3e95a16e44b03cdb32a3b51c5b7b8ff
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: aura-video Version: 1.0.0 The skill bundle implements a video production pipeline that is highly vulnerable to shell injection. Specifically, scripts/aura_video.sh and scripts/aroll_watcher.sh parse JSON data from Google Drive and rclone output using 'python3 -c' and then pass these unsanitized strings directly into shell commands and subshells. While the behavior appears aligned with the stated goal of automating 'Aura Creatine' content, the lack of input validation and the direct reading of sensitive environment files ($HOME/.openclaw/.env) to extract API keys represent significant security flaws rather than intentional malice.
- External report
- View on VirusTotal