Back to skill
Skillv1.0.2
VirusTotal security
Markdown Canvas · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:56 AM
- Hash
- edecc5829ab35894de6c969deed245f42ee864687724c7c1b6d0f8f653c8a65e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: markdown-canvas Version: 1.0.2 The `scripts/convert.py` file contains a critical Cross-Site Scripting (XSS) vulnerability. The `convert_markdown_to_html` function does not properly sanitize or escape user-provided markdown content before injecting it into the `{{CONTENT}}` placeholder in `assets/template.html`. This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML page by including raw HTML tags (e.g., `<script>alert('XSS')</script>`) in the input markdown file. This is a severe vulnerability, but there is no evidence of intentional malicious behavior like data exfiltration or persistence.
- External report
- View on VirusTotal