Back to skill
Skillv1.0.0
VirusTotal security
scarcest-not-money-video-gen · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 22, 2026, 7:11 PM
- Hash
- bcb7c54d1346f66ec16b2702bc6da13055038bd09ca20581bfcab7db43746e0f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: scarcest-not-money-video-gen Version: 1.0.0 The skill bundle contains a script `scripts/video_gen.js` that implements a high-risk capability: it can read arbitrary local files and upload them to a remote server (`api-growth-agent.weryai.com`) if a local path is passed via the `image` or `images` parameters. While this behavior is documented in `SKILL.md` and `WERYAI_VIDEO_API.md` as a feature for image-to-video generation, the script lacks path sanitization or strict file-type validation, creating a significant surface for data exfiltration if the AI agent is targeted by prompt injection. This vulnerability allows for the potential theft of sensitive files (e.g., SSH keys, credentials) despite the stated benign purpose.
- External report
- View on VirusTotal