Back to skill
Skillv1.0.1
VirusTotal security
post-to-xhs · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- 4bca0021d389a03d59c98dacf451a440580d94b85cdf0210f48ce7097affe699
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: post2xhs Version: 1.0.1 The skill bundle is classified as suspicious due to its reliance on executing external binaries (`xhs-mcp`) with user-controlled input and handling user-provided file paths for publishing content, as detailed in `SKILL.md`. These actions introduce potential vulnerabilities such as shell injection or path traversal if the underlying `xhs-mcp-py` tool or its dependencies (like `convert` from ImageMagick, which has a history of vulnerabilities) do not adequately sanitize or validate inputs. While the stated purpose of Xiaohongshu content management appears benign, the inherent risks associated with these capabilities without clear evidence of robust input sanitization warrant a 'suspicious' classification, rather than 'malicious' as there is no proof of intentional harmful behavior or prompt injection against the agent.
- External report
- View on VirusTotal