Back to skill
Skillv1.0.0
VirusTotal security
Video Transcribe · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:44 AM
- Hash
- 3e66f8f91f447a62ec5be35322d7848cd173840354ec8d68554dee24057b46df
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: video-to-text Version: 1.0.0 The `scripts/transcribe.sh` file contains a shell injection vulnerability. The `$INPUT` variable, which is derived directly from user input via the `SKILL.md` tool definition, is used unsanitized within the `ffmpeg -i "$INPUT"` command. This allows an attacker to inject arbitrary shell commands. Additionally, the `SKILL.md` describes an 'AI Edit' tool that uploads user-provided video/audio files to an external API (`agent-api-test.aicoding.live`), which, while stated functionality, involves significant data transfer to a third-party service.
- External report
- View on VirusTotal