Back to skill
Skillv1.0.1
VirusTotal security
Info Card · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 29, 2026, 6:16 AM
- Hash
- 9ef383d44826924094f9872206c47bb0755d39da7c2ff4345d8e7fdb02308045
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: info-card Version: 1.0.1 The skill bundle provides a tool for generating 'Little Red Book' style info cards by rendering HTML templates into PNG images using Playwright. While the code in `scripts/generate_card.py` is well-structured and aligns with the stated purpose, it lacks input sanitization when substituting user-provided data into the HTML templates (e.g., in the `render_html` and `_render_academic_sections` functions). This creates a significant vulnerability where a crafted JSON payload could execute arbitrary JavaScript within the headless browser, potentially leading to local file disclosure (LFI) or Server-Side Request Forgery (SSRF) via the generated screenshot. Because this appears to be an unintentional security flaw rather than a deliberate attack, it is classified as suspicious.
- External report
- View on VirusTotal