Back to skill
Skillv1.1.0
VirusTotal security
LovTrip China Map (Amap) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:29 AM
- Hash
- 02c1e8dd660a15f7af4cf8d08f10faaa57909cce49b9316e567796f1c9b92a36
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lovtrip-china-map Version: 1.1.0 The skill bundle contains a shell injection vulnerability in `scripts/amap.sh`. User-provided inputs (such as addresses and keywords) are directly embedded into a Python command string for URL encoding without proper escaping, which could allow arbitrary code execution. While this is a significant security flaw, it appears to be an unintentional programming error rather than a malicious backdoor, as the script's logic otherwise aligns with its stated purpose of interacting with the legitimate Amap API (restapi.amap.com).
- External report
- View on VirusTotal