Back to skill
Skillv0.1.0
VirusTotal security
K8s Self Hosted Whisper Api · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:00 AM
- Hash
- 1c81c47b2a794c9524a3d4dd46a3199029cc858dfbcac3812745e0add7e1ed45
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-self-hosted-whisper Version: 0.1.0 The `transcribe.sh` script contains several critical vulnerabilities. It is susceptible to shell injection via the `--prompt` argument due to improper sanitization when embedding the value into a `python3 -c` command. Furthermore, the script allows arbitrary file reading and uploading to the internal Whisper service via the `INPUT_FILE` argument, and arbitrary file writing via the `OUT_FILE` argument, as both are directly derived from user input without sufficient validation. While these flaws could lead to remote code execution and data exfiltration, there is no clear evidence of intentional malicious design, classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal