Back to skill
Skillv1.0.0
VirusTotal security
Paradiz · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:36 AM
- Hash
- 166d13e3417038d669cf1cfccfb4417dadb9d10f732e549be5dccf5bc3cb37ec
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: paradiz Version: 1.0.0 The skill is classified as suspicious primarily due to a potential XML injection vulnerability in `scripts/save_booking.py`. When generating booking documents in `.docx` format from a `.dotx` template, user-controlled input (e.g., guest names, notes) is directly replaced into the XML content without proper XML escaping. This could lead to malformed documents or, in a worst-case scenario with a vulnerable document viewer, allow for XML-related attacks (e.g., XXE). Additionally, the skill handles sensitive Personally Identifiable Information (PII) such as guest names, phone numbers, and emails, storing them in local files (`data/bookings.txt`, `data/bookings.jsonl`, `data/holds.jsonl`) and transmitting them to an external Telegram API endpoint (api.telegram.org). While these actions align with the stated booking management purpose, the combination of PII handling and a document generation vulnerability warrants a 'suspicious' classification, as it presents a risk of data integrity issues or potential exploitation, even if not explicitly malicious in intent.
- External report
- View on VirusTotal