Back to skill
Skillv1.0.0
VirusTotal security
Noodle Create Writing · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:55 AM
- Hash
- a7d816d97cbd105d5b0e6632a8502a0f7753d11052ea0722260952998b3832af
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: noodle-create-writing Version: 1.0.0 The skill is classified as suspicious due to a shell injection vulnerability found in `scripts/search-content.js`. The `executeTavilySearch` function uses `child_process.execSync` to execute an external `node` command, constructing the command string with user-controlled input (`query` derived from `topic` and `keywords`). Although the `query` is wrapped in double quotes, this is insufficient to prevent shell injection if the user input contains crafted characters (e.g., `" || evil_command #`) that could break out of the quoted string and execute arbitrary commands on the host system. This represents a Remote Code Execution (RCE) risk, which is a critical vulnerability, but without evidence of intentional malicious exploitation, it is classified as suspicious rather than malicious.
- External report
- View on VirusTotal