Back to skill
Skillv1.0.0
VirusTotal security
Poetry Daily Art · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 12, 2026, 4:56 PM
- Hash
- dd3820d32184198c1377d0596ccd8aaa02509d8622ce2a5a504a795a8a1779d5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: poetry-daily-art Version: 1.0.0 The skill contains a shell injection vulnerability in `scripts/generate_image.sh` because the `POEM_TITLE` variable is interpolated into a double-quoted string used in a command without sanitization, potentially allowing arbitrary code execution if the source data is compromised. Furthermore, the script uses hardcoded absolute paths to a specific user's home directory (`/Users/hwang/`), which is a significant security risk and suggests the code was not designed for general use. It also extracts data from the agent's memory files to send to an external API (MiniMax), which could lead to unintentional data exfiltration.
- External report
- View on VirusTotal