Back to skill
Skillv1.0.0
VirusTotal security
Hotspot Aggregator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 23, 2026, 5:31 AM
- Hash
- a0bcb8998778162b86a40a39a19142457de04a58c8981a824721db1f387ac7ab
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-hotspot-daily Version: 1.0.0 The skill bundle contains a command injection vulnerability in 'scripts/generate-daily-report.js' where news headlines are passed to a shell command via 'execSync' with insufficient sanitization (only escaping double quotes). Additionally, both 'scripts/fetch-hotspots.js' and 'scripts/generate-daily-report.js' contain hardcoded absolute file paths (e.g., '/home/lin/...') which suggests poor portability and potential developer oversight. While the code appears to fulfill its stated purpose of aggregating news via RSSHub, the lack of input validation on external data makes it vulnerable to exploitation.
- External report
- View on VirusTotal