Back to skill
Skillv1.0.0
VirusTotal security
Book Writer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:13 AM
- Hash
- 8792287489f529dabd7ab9088633c2baace46e61480a946a1f21150879d1d872
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: book-writer Version: 1.0.0 The skill is classified as suspicious due to two significant vulnerabilities. The `scripts/book_writer.py` file contains a path traversal vulnerability in its `save_book` function, where the output directory name (derived from user input or LLM output) is directly used to construct a file path without sanitization, potentially allowing arbitrary file writes outside the intended `generated_books` directory. Additionally, `scripts/install_dependencies.py` uses `subprocess.run(cmd, shell=True)`, which, while currently used with hardcoded commands, presents a shell injection risk if user-controlled input were ever passed to it.
- External report
- View on VirusTotal