Back to skill
Skillv1.0.0
VirusTotal security
Product Demo Video Creator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 6:02 AM
- Hash
- 0d775b6912742736a1413a3eb630c45a7d30b8d2a7bde3d2f6f9d89c3628012e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: product-demo-video Version: 1.0.0 The skill bundle contains a shell injection vulnerability in `scripts/record-demo.mjs` where narration text is passed to `execSync` with insufficient sanitization (only double quotes are escaped), allowing for subshell execution (e.g., via backticks or $()). Additionally, `scripts/install-deps.sh` downloads and installs a pre-compiled FFmpeg binary from an external site (johnvansickle.com), which is a high-risk supply chain practice. While these behaviors are functional for the stated purpose of video generation, they represent significant security flaws that could be exploited by a malicious prompt.
- External report
- View on VirusTotal