Back to skill
Skillv1.0.0
VirusTotal security
pandoc-docx · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 21, 2026, 1:01 PM
- Hash
- 5fdd35e692a5400885f45b8d388482704484c675bff6e7404f6a98d5fe69e855
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pandoc-docx Version: 1.0.0 The skill bundle provides document conversion utilities using pandoc but contains significant command injection vulnerabilities due to improper input sanitization. Specifically, `scripts/doc-edit.sh` uses unsanitized variables in a `sed` command, which can be exploited for remote code execution (RCE) via the `e` flag. Additionally, `scripts/doc-read.sh` and `scripts/doc-write.sh` pass format arguments directly to `pandoc`, which could allow for argument injection. While these appear to be unintentional security flaws rather than deliberate malware, they pose a high risk to the environment.
- External report
- View on VirusTotal