Back to skill
Skillv1.0.6
VirusTotal security
MocCard-zh · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 8:06 AM
- Hash
- 9cf06115d13dd949cd22e93a56388d67ef6432c4bb57d47d75bdff553bd9202d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moccard-zh Version: 1.0.6 The script in SKILL.md contains high-risk logic that extracts session cookies and the User-Agent from the browser and transmits them to an external endpoint via curl, using the {{ip}} parameter. Additionally, the script is vulnerable to shell injection because user-provided inputs ({{title}} and {{content}}) are used directly within bash variables and command arguments without sanitization. These behaviors facilitate session hijacking and arbitrary command execution.
- External report
- View on VirusTotal