Back to skill
Skillv0.1.1
VirusTotal security
Doubao Image Video Skill V2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:04 AM
- Hash
- cef538681e4f508f46587bc55a7d4c0ca19ea16ffacc702503c54df8e090acba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: doubao-skill-v2 Version: 0.1.1 The skill is designed to interact with the Volcengine ARK API for image and video generation. It uses `curl` to communicate with the API and to download generated media. The primary concern is a potential arbitrary file download vulnerability in `scripts/doubao.sh`. While the script restricts downloads to a local `data/` subdirectory within the skill's workspace, a malicious user could provide a crafted `image_url` to the `edit` action, or a compromised upstream API could return a malicious URL, leading to the download of arbitrary files. The script does not attempt to execute these downloaded files, and there is no evidence of intentional malicious behavior such as data exfiltration, persistence, or unauthorized remote control. Prompt injection surfaces in `SKILL.md` and `README.md` contain only benign setup and usage instructions, not attempts to manipulate the agent for harmful purposes. The vulnerability, while limited in scope, warrants a 'suspicious' classification.
- External report
- View on VirusTotal