Back to skill
Skillv1.1.5
VirusTotal security
爱图表3D图表 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 23, 2026, 10:11 AM
- Hash
- a02c7de289ef211cbfb6523046c6d3b0b3d150b1d0c44d9677d2634f5c1f3e4d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: aitubiao-3d-chart-illustration Version: 1.1.5 The skill bundle contains a critical shell injection vulnerability in 'scripts/aitubiao-cli.sh'. The 'auth' command writes user-provided API keys into a credentials file using an unquoted heredoc, and the 'load_credentials' function subsequently executes this file using 'source'. This allows for arbitrary command execution if a crafted API key is provided. While the overall logic is aligned with the stated purpose of generating 3D charts via 'api.aitubiao.com', the lack of input sanitization and unsafe use of 'source' poses a significant security risk.
- External report
- View on VirusTotal