Back to skill
Skillv2.1.1
VirusTotal security
Media News Digest · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:03 AM
- Hash
- 131836791441fbe2d19721b4cb7fdfea525e4057966a4253faa7bf26e46e653f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: media-news-digest Version: 2.1.1 The skill bundle is classified as suspicious due to a shell injection vulnerability found in the `scripts/test-pipeline.sh` file. Specifically, the script uses unquoted shell variables (`$TOPICS`, `$IDS`) within `grep -qi` and `python3 -c` commands, which could allow arbitrary command execution if a user provides specially crafted input to the `--topics` or `--ids` arguments. While this is a test script and not part of the main agent execution flow, it represents a vulnerability that could be exploited. The rest of the skill demonstrates strong security awareness, including explicit prompt injection mitigations in `SKILL.md` and `references/digest-prompt.md`, and robust HTML sanitization in `scripts/sanitize-html.py`.
- External report
- View on VirusTotal