Back to skill
Skillv1.0.0
VirusTotal security
xhs-auto-content-by-hot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 6:45 AM
- Hash
- 5f9c8c6d9e21adc928b596e2b48b625f5a290971f42d682e6e130de07575ebac
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xhs-auto-content-by-hot Version: 1.0.0 The skill instructs the AI agent in SKILL.md to solicit a sensitive API key from the user and programmatically write it into the 'scripts/generate.py' source file. This is a highly insecure practice that leads to hardcoded credentials and creates a significant risk of Remote Code Execution (RCE) if the agent fails to sanitize the user-provided input before modifying the Python script. While the script's logic for fetching Baidu trends and calling the Volcengine API (ark.cn-beijing.volces.com) appears legitimate, the automated code-modification pattern is a major security flaw.
- External report
- View on VirusTotal