Back to skill
Skillv1.0.0
VirusTotal security
WeChat Articles Reader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:35 AM
- Hash
- 1378b90c838639f8e1cb11fe95509bb1bbda3d451990b6a555956b531a369980
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wxmp-reader Version: 1.0.0 The skill contains a potential shell injection vulnerability in 'fetch_wechat.js' and 'screenshot_wechat.js' because they use 'execSync' to execute a 'find' command using unquoted environment variables (NVM_DIR and HOME) to locate dependencies. While the scripts' primary logic for bypassing WeChat's anti-bot detection is well-documented and aligned with the stated purpose, the use of shell execution for dependency discovery is a risky implementation flaw. Additionally, the 'SKILL.md' instructions contain rigid directives that force the agent to always capture and send screenshots even if the user only requests a text summary.
- External report
- View on VirusTotal