Back to skill
Skillv1.1.0
VirusTotal security
AssemblyAI Transcriber · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 3:33 AM
- Hash
- 8af2d3d28c36f7ec6f3e35631606a28f055286015ea706b3fb7858df93aed160
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: assemblyai-transcriber Version: 1.1.0 The skill is classified as suspicious due to a critical input sanitization vulnerability in `scripts/transcribe.py`. The script directly uses `sys.argv[1]` as an `audio_source` without validation, allowing an attacker to potentially trick the OpenClaw agent (via prompt injection) into uploading arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) to the AssemblyAI service. While the data is sent to the legitimate AssemblyAI endpoint, this constitutes an unauthorized data disclosure vulnerability, not intentional malicious exfiltration by the skill itself.
- External report
- View on VirusTotal