Back to skill
Skillv1.0.0
VirusTotal security
Cardnews · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:59 AM
- Hash
- f157adb1a336b4811b6c8fec7148008e7db6e8f608008f59dfd1b5134d0ea095
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cardnews Version: 1.0.0 The `SKILL.md` instructs the OpenClaw agent to construct and execute shell commands (`uv run`, `python3`) where parameters like image prompts and filenames are derived from user input (the 'topic'). This creates a significant shell injection vulnerability if the agent does not properly sanitize or escape user-provided input before executing these commands, potentially leading to arbitrary command execution. While the `scripts/convert_jpg.py` file itself is benign, its execution is part of this vulnerable command construction pattern.
- External report
- View on VirusTotal