Back to skill
Skillv1.0.0
VirusTotal security
Video Clip · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:44 AM
- Hash
- f8a7e727f28046f4fa479e61a3b5875f2ae53edf9f1dee286eb6504b01dce151
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-clip Version: 1.0.0 The skill is classified as suspicious due to significant shell injection vulnerabilities and a potential file exfiltration vector. The `scripts/clip.sh` file directly interpolates user-controlled arguments (`$INPUT`, `$START`, `$END`, `$DURATION`, `$OUTPUT`) into an `ffmpeg` command without sanitization, creating a classic shell injection risk. Additionally, the `SKILL.md` file contains an embedded script for AI editing that uses `curl` to upload a file (`$FILE_PATH`) to an external API (`https://agent-api-test.aicoding.live`). If an attacker can manipulate `$FILE_PATH` via prompt injection against the AI agent, this could lead to the exfiltration of arbitrary local files to the external endpoint.
- External report
- View on VirusTotal