Back to skill
Skillv1.0.0
VirusTotal security
Fish Tts · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:11 AM
- Hash
- b425e6e64b11184e20121a891a4976ab073c810f217e3c91affcf33589fa6e8a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fish-tts Version: 1.0.0 The skill is classified as suspicious due to a hardcoded NextCloud password found in both `SKILL.md` and `SKILL.py`, which is a significant credential management vulnerability. Additionally, the bash script template provided in `SKILL.md` is vulnerable to shell injection via the `$text` and `$voice` parameters when used with `curl -d`, posing a direct prompt-injection risk against an agent executing these instructions with user-controlled input. While the Python implementation (`SKILL.py`) correctly mitigates the shell injection risk by using `requests` with JSON payloads, the presence of the vulnerability in the markdown template and the hardcoded password are critical flaws.
- External report
- View on VirusTotal