Back to skill
Skillv1.0.12
VirusTotal security
blog-polish-en-astro-cn · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousMar 22, 2026, 11:56 AM
- Hash
- 8844e9d455d4f4a6547099c989665c259b8c8fcd521c5500e3d4fd7fe4a91bec
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: blog-polish-en-astro-cn Version: 1.0.12 The skill bundle contains a shell injection vulnerability in SKILL.md within the 'init' workflow step, where 'eval echo' is used on the user-provided 'outputDir' input to perform tilde expansion without sanitization. This allows for arbitrary command execution if a crafted directory path is provided. While the overall intent appears to be a legitimate utility for polishing and translating blog drafts, the inclusion of this risky shell pattern and the presence of hardcoded absolute paths for a specific user ('jeff') in SKILL_eng.md suggest poor security practices.
- External report
- View on VirusTotal