Back to skill
Skillv1.0.6
VirusTotal security
Blog Polish Zhcn Images · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:59 AM
- Hash
- 0339cf491e3de14f07df54ca3c23a511410efc355464eb9db5aafd1310d05a5a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: blog-polish-zhcn-images Version: 1.0.6 The skill contains a critical shell injection vulnerability in the `workflow` section of `SKILL.md`. Specifically, the `polish_and_translate` step uses `echo -e` to write the `$content` variable (which is read directly from a user-provided draft file) into a new file without sanitization. This allows for arbitrary command execution if the draft file contains shell metacharacters like backticks or command substitution syntax. While the overall intent appears to be a legitimate blog polishing tool, this implementation flaw is a high-risk vulnerability.
- External report
- View on VirusTotal