Back to skill
Skillv4.0.0
VirusTotal security
PDF Translate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:52 AM
- Hash
- 238a9a2bdd4fefa92f5c56bd2495d08c5c8375dfa882d5c9e73dcb01f1a1abe1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pdf-translate Version: 4.0.0 The skill is classified as suspicious due to a significant Remote Code Execution (RCE) vulnerability. The `SKILL.md` file instructs the AI agent to execute shell commands (e.g., `python3 ${SKILL_DIR}/scripts/md2pdf.py "输入.md" "输出.pdf"`). The Python scripts (`scripts/md2pdf.py`, `scripts/translate_pdf.py`) take input and output filenames directly from command-line arguments (`sys.argv`) without explicit sanitization for shell metacharacters. If the OpenClaw agent does not adequately sanitize user-provided filenames before passing them to these shell commands, an attacker could inject arbitrary commands, leading to RCE. Additionally, `scripts/generate_complete_pdf.py` contains a hardcoded absolute output path, which is a minor vulnerability for unintended file overwrites.
- External report
- View on VirusTotal