Back to skill
Skillv1.0.0
VirusTotal security
Douyin Upload · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:21 AM
- Hash
- 1fd6628cedc455cf534188dd859a575ffd219df7cb3db2c3e9f59c2bf4dd6a1f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: douyin-upload Version: 1.0.0 The skill bundle contains a significant shell injection vulnerability in `scripts/publish.py` where `subprocess.run` is called with `shell=True` on a command string constructed from file paths. While the logic appears aligned with the stated purpose of automating Douyin uploads, the `SKILL.md` instructions explicitly direct the AI agent to execute shell commands, which is a high-risk behavior. Furthermore, several files (`sau.sh`, `scripts/config.py`) contain hardcoded absolute paths to a specific local user's directory (`/Users/yiwanjun/`), indicating unvetted code with poor security hygiene.
- External report
- View on VirusTotal