Back to skill
Skillv1.1.0
VirusTotal security
feishu-weekly-report-merger · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 17, 2026, 1:06 PM
- Hash
- 61ded1054225046b8ac1c4e11a4653fca0bbcc5559a94956cd0f357c9f3aa35f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: feishu-weekly-report-merger Version: 1.1.0 The skill automates merging Feishu documents by fetching content and executing a local Python script (`scripts/merge.py`) via the `exec` tool. It is classified as suspicious due to a potential shell injection vulnerability in the `SKILL.md` instructions, which direct the AI agent to construct shell commands using strings extracted from document titles (e.g., user names) without explicit sanitization. While the script logic appears legitimate and lacks intentional malicious code, the workflow's reliance on shell execution with external, untrusted data poses a significant security risk.
- External report
- View on VirusTotal