Back to skill
Skillv0.1.0
VirusTotal security
docx · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 14, 2026, 1:41 PM
- Hash
- ba1f7ca1f67dea61166ca7d4979868d1646fb79922eeb69aca28dd8d8ea1784b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: organize-messy-files-docx Version: 0.1.0 The skill bundle provides a comprehensive toolkit for DOCX manipulation but contains several high-risk vulnerabilities and aggressive agent-steering instructions. Specifically, ooxml/scripts/unpack.py uses zipfile.extractall(), which is vulnerable to Zip Slip (arbitrary file write), and ooxml/scripts/validation/base.py utilizes lxml.etree.parse() without explicit protections against XML External Entity (XXE) attacks. Furthermore, SKILL.md employs prompt-injection-style 'meta-instructions' (e.g., 'MANDATORY - READ ENTIRE FILE', 'NEVER set any range limits') to override the agent's default behavior, which, while likely intended for context preservation, represents an attack surface for controlling agent execution.
- External report
- View on VirusTotal