Back to skill
Skillv1.0.0
VirusTotal security
vwu.ai doubao Models · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:32 AM
- Hash
- d3339b7138d1db0306a3c2e7ad04eb677d520a3182a962a1d8ed652609cc7d13
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vwu-doubao Version: 1.0.0 The skill provides a shell script (`vwu-chat.sh`) to interact with the vwu.ai API for Doubao models. It contains a vulnerability where the user-provided prompt and model name are directly injected into a JSON string within a `curl` command without proper escaping or sanitization. This allows for JSON injection if the input contains special characters, which is a significant security flaw in automated environments, although no evidence of intentional malice or unauthorized data exfiltration was found.
- External report
- View on VirusTotal