Back to skill
Skillv1.0.0
VirusTotal security
财税公众号小助手 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:48 AM
- Hash
- 54a9336ebed59eb2c2d1a4bf37018aa2e2011f669d7dae55b4189f21b18c2163
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: financial-contant-writer Version: 1.0.0 The skill bundle is classified as suspicious due to several significant security vulnerabilities. The `finance-image-generator.cjs` script contains a critical arbitrary file write/path traversal vulnerability, as the `--output` argument allows writing a markdown report to an attacker-controlled path without apparent sanitization. This script also hardcodes an Unsplash API key, which is a security best practice violation. Furthermore, the extensive and detailed system prompts across multiple markdown files (`SKILL.md`, `finance-valuation-agent-guide.md`, `finance-valuation-coze-guide.md`, `finance-writer-coze-quickstart-vX.md`, `wechat-finance-writer-coze.md`) create a large prompt injection attack surface, which could be leveraged to exploit the aforementioned file write vulnerability or other agent capabilities.
- External report
- View on VirusTotal