Back to skill
Skillv1.1.0
VirusTotal security
Markdown to HTML · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:19 AM
- Hash
- f68cf1bd8c581339de28c07662ede62eb627c29b5710675102f2bf01d0436cfa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: markdown-to-html Version: 1.1.0 The skill is classified as suspicious due to a significant Cross-Site Scripting (XSS) vulnerability in the `main.py` script. The `md_to_html` function, specifically within the `inline` helper, fails to properly escape user-provided markdown content for link text and image alt text before embedding it into the generated HTML. This allows an attacker to inject arbitrary HTML/JavaScript into the output, which could lead to client-side attacks when the generated HTML is viewed. There are no other indicators of malicious intent such as data exfiltration, persistence, or direct prompt injection attempts against the OpenClaw agent in `SKILL.md`.
- External report
- View on VirusTotal