Back to skill
Skillv1.0.0
VirusTotal security
小红书视频下载器 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:23 AM
- Hash
- fb8d80a215b355204ec35d7664fde848db97f9f81e622e379075527098fe54d3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xiaohongshu-downloader Version: 1.0.0 The skill's core functionality to download and process videos is implemented securely, using `subprocess.run` with lists to prevent shell injection vulnerabilities in `scripts/download_xiaohongshu.py` and `scripts/parallel_transcribe.py`. However, the skill is classified as 'suspicious' due to the inherent prompt injection vulnerability against the AI agent's LLM component. The `SKILL.md` instructions explicitly direct the agent to read user-controlled content (video title and transcript from `~/Downloads/<video title>/transcript.txt` and `.meta.json`) and insert it into a prompt template (`reference/summary-prompt.md`) for AI summary generation. This creates a surface where malicious input in the video title or transcript could manipulate the LLM's behavior, even though the skill itself does not contain malicious intent or exploit this vulnerability.
- External report
- View on VirusTotal