Back to skill
Skillv3.0.0
VirusTotal security
二维码生成器 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:16 AM
- Hash
- 027140dacbc9dcc64a8bede568264162b86f103e98bc3b2deff0bf321012477b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pr-generator Version: 3.0.0 The `agent.py` skill is suspicious due to a Local File Inclusion (LFI) vulnerability. The `image_path` parameter in the `handle_call` function, which is processed by `file_to_base64`, allows reading arbitrary files on the system (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). The content of these files is then base64 encoded and embedded into a QR code image, whose path is returned by the skill. While the skill's stated purpose is to generate QR codes from images, the lack of input sanitization or path restrictions on `image_path` creates a significant information disclosure risk, allowing an attacker to potentially extract sensitive data via crafted input. There is no evidence of intentional malicious behavior like exfiltration to external servers or backdoor installation, classifying this as a vulnerability rather than malware.
- External report
- View on VirusTotal