Back to skill
Skillv0.1.1
VirusTotal security
Wenshushu File Uploader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:35 AM
- Hash
- 6fb35040a8e04a1818a78a9d47ba513afb1bd79b6455c7e6b92a8cfc42bdfd50
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wenshushu-uploader Version: 0.1.1 The skill exhibits high-risk behaviors and a potential path traversal vulnerability. It includes an installation script (`install.sh`) that executes a remote script via `curl | sh` and a Python script (`scripts/upload.py`) that performs runtime package installation using `uv`. Furthermore, the `upload_file` function in `scripts/upload.py` resolves file paths without validating that they reside within the intended workspace, potentially allowing an agent to exfiltrate sensitive system files if prompted. While these capabilities are aligned with the stated purpose of uploading files to Wenshushu, the lack of path sanitization and the automated execution of remote installation logic meet the criteria for a suspicious classification.
- External report
- View on VirusTotal