Back to skill
Skillv1.0.0
VirusTotal security
Mindmap Generator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:09 AM
- Hash
- 66392e86112ffb6a65b3a69add009d5202c3db31273f10c6ad45bac81881e79f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mindmap-generator Version: 1.0.0 The skill's primary function to generate and send mindmaps via Telegram is benign, but it contains suspicious elements and vulnerabilities. The `scripts/render_mindmap.sh` script attempts to load the `mmdc` executable from `/tmp/mmdc-test/node_modules`, which is an unusual and potentially exploitable search path that could allow an attacker to substitute a malicious executable. Furthermore, the `SKILL.md` instructions for the agent to `echo "$MERMAID_CONTENT" > /tmp/mindmap_input.mmd` introduce a prompt injection vulnerability, as a sophisticated agent could potentially be coerced into injecting shell commands into `$MERMAID_CONTENT`, leading to arbitrary code execution. The use of `npx -y` to auto-install `@mermaid-js/mermaid-cli` also presents a supply chain risk by bypassing user confirmation.
- External report
- View on VirusTotal