Back to skill
Skillv1.0.0
VirusTotal security
HML Google Slides · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:56 AM
- Hash
- a9fc5dcea752ac2a3fc02f79a2641c51b3d925cc1c9c01e20365251516a5112a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hml-google-slides Version: 1.0.0 The skill is classified as suspicious due to several significant vulnerabilities. The `scripts/slides.py` exports a Google OAuth refresh token to `/tmp/gog_slides_token.json` without cleanup, creating a local information disclosure risk. The `cmd_export` function allows arbitrary file paths for output, potentially leading to unauthorized file writes. Most critically, the `cmd_batch` function executes arbitrary Google Slides API batch update requests from a user-provided JSON file, which, as documented in `references/batch_requests.md`, enables powerful actions like inserting images from arbitrary URLs (SSRF risk) and other broad API manipulations without input validation. While these are vulnerabilities rather than direct malicious intent, they present a substantial attack surface.
- External report
- View on VirusTotal