Back to skill
Skillv0.1.0
VirusTotal security
Office To Md V2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:57 AM
- Hash
- 88853fab6bb3b372dff8a198ab47efae3a3b0953b8b1050bf57e09c314038c44
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: office-to-md-v2 Version: 0.1.0 The skill is classified as suspicious due to its extensive use of `child_process.execSync` in `office-to-md/utils/pptConverter.js` to execute external commands like `python3`, `pip3`, `unzip`, and `rm`. While the `filePath` argument passed to these commands appears to be properly quoted, the use of `execSync` for auto-installing dependencies (`pip3 install python-pptx`) and running external scripts introduces a significant attack surface and supply chain risk. There is no clear evidence of intentional malicious behavior, but these high-risk capabilities could be exploited if inputs are not perfectly sanitized or if the execution environment is compromised.
- External report
- View on VirusTotal