Back to skill
Skillv1.0.0
VirusTotal security
Agent Postcard · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:38 AM
- Hash
- 262a8b7ed9ee502f4fc8f5e5707d8e351195971a97cd773805e9907aa72a9b44
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-postcard Version: 1.0.0 The skill is classified as suspicious due to a potential arbitrary file write vulnerability. The `scripts/send-postcard.mjs` script allows users to specify an arbitrary output path for the generated image via the `--output` flag. This could be exploited to overwrite sensitive system files or user configuration files with a PNG image, leading to denial of service or system instability. While the skill's core functionality (generating postcards via an external API) appears benign, this file system access vulnerability elevates the risk.
- External report
- View on VirusTotal