Back to skill
Skillv0.1.0
VirusTotal security
Google Scholar Search Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:39 AM
- Hash
- d6c2d45d6a33a89b43cee78fe5a831a950f0a36543e81b5b7953e7276887684f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: google-scholar-search-skill Version: 0.1.0 The `google_scholar_search.py` script contains a path traversal/arbitrary file write vulnerability. The `--output` argument, which is user-controlled, is directly used as a `filepath` in `OutputHandler.write_file` without any sanitization or validation. This allows an attacker or a malicious AI agent to write arbitrary JSON content (search results or author info) to any location on the filesystem where the agent has write permissions, potentially overwriting sensitive files or leading to denial of service. While this is a critical vulnerability, there is no clear evidence of intentional malicious behavior (e.g., hardcoded malicious paths, data exfiltration, or persistence mechanisms) within the code or the `SKILL.md` instructions, classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal