Back to skill
Skillv1.0.0
VirusTotal security
AI Citation Content Writer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:51 AM
- Hash
- d88ca131a279d3cb48e030c25bbc87218b0d01b722909ae5efbb0726a6e4d454
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: geo-citation-writer Version: 1.0.0 The skill bundle is classified as suspicious due to a critical path traversal vulnerability in `scripts/generate_content.py` and an instruction in `SKILL.md` to execute an unprovided script. The `generate_content.py` script uses the user-controlled `--output` argument directly as a filename, allowing an attacker to write arbitrary files to any location accessible by the agent (e.g., `python scripts/generate_content.py --output ../../../tmp/evil.md`). Furthermore, `SKILL.md` instructs the agent to run `scripts/batch_generate.py`, a script that is not included in the provided bundle, posing a significant risk as its content and behavior are unknown and unverified.
- External report
- View on VirusTotal