Back to skill
Skillv1.0.1
VirusTotal security
Social Push Semi · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:09 AM
- Hash
- 434956d6e85a6382845c75747c8c131f0016314013637149a714d90571e8d6fd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: social-push-semi Version: 1.0.1 The skill is classified as suspicious due to a shell injection vulnerability in `scripts/run.sh`. The script uses `ffmpeg -i "$VIDEO"` without proper sanitization or quoting of the `$VIDEO` variable, which could allow arbitrary command execution if a malicious video path (e.g., containing shell metacharacters) is provided by the agent or user. While `scripts/fill_preview_cdp.sh` includes a partial path validation, this check is not present in `run.sh` itself, nor in `scripts/one_shot.sh` which calls `run.sh`. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoors; the primary concern is the RCE vulnerability.
- External report
- View on VirusTotal