Back to skill
Skillv0.1.1
VirusTotal security
Discord Local STT/TTS Installer (macOS) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:21 AM
- Hash
- cc44e624cefbea681e62285d26ef933a74d37ff17e815f07a1641cfd5abc9338
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: discord-local-stt-tts-installer Version: 0.1.1 The skill downloads and installs a plugin from a GitHub repository (vilmire/discord-local-stt-tts) using `curl` and `unzip`. A significant supply chain vulnerability exists in `bin/install.sh` because it executes `pnpm i && pnpm build` on the downloaded code if `pnpm` is available. This allows for arbitrary code execution via `package.json` scripts if the upstream GitHub repository were to be compromised, making it a high-risk capability, though not inherently malicious in this skill's design.
- External report
- View on VirusTotal