Back to skill
Skillv1.0.4
VirusTotal security
PaddleOCR Document Parsing V2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:51 AM
- Hash
- 6025c4bfb7c2f822f406198993b076fd89186fc8b20cf62141981793108b663d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: paddleocr-doc-parsing-v2 Version: 1.0.4 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/paddleocr_parse.sh`. The script uses `cat "$input_file"` to read local files for base64 encoding. If the `input_file` argument is controlled by an attacker (e.g., via prompt injection against the agent), a crafted string like `"; malicious_command; #.jpg"` could lead to arbitrary command execution. While the Python script (`scripts/paddleocr_parse.py`) handles file paths securely, the shell script's vulnerability poses a significant risk. The skill's core functionality of interacting with the PaddleOCR API, including reading local files and fetching remote URLs, is otherwise aligned with its stated purpose.
- External report
- View on VirusTotal