Back to skill
Skillv1.0.4
VirusTotal security
Clinical Data Extractor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:31 AM
- Hash
- cc1c5881410a3efec708ee52dcdf53158aa8530fd678917fd37c0101804af69e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clinical-data-extractor Version: 1.0.4 The skill is classified as suspicious due to critical shell injection vulnerabilities. The `SKILL.md` explicitly instructs the AI agent to execute external command-line tools like `nano-pdf` (and potentially `pdftotext`) with user-controlled input (`<path-to-pdf>`) without any explicit sanitization or safe execution mechanisms. This creates a direct path for arbitrary command execution (RCE) if a malicious PDF path is provided. Additionally, while the skill instructs the agent to 'sanitize filename' for output, it does not specify a robust sanitization method, leaving it vulnerable to path traversal or further injection if the generated filename is later used in shell commands.
- External report
- View on VirusTotal