Back to skill
Skillv1.0.0
VirusTotal security
wechat-pack · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:54 AM
- Hash
- 1b3f8326d9fb30d61fe6042c773c17966881c7dd409a2d5d59a5d95a11f08079
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wechat-pack Version: 1.0.0 The skill is classified as suspicious due to significant vulnerabilities that could lead to local file disclosure and arbitrary URL fetching. The `scripts/pack_wechat.py` script, when processing user-provided input files, will copy local files referenced in `<img>` tags (e.g., `<img src="/etc/passwd">`) into the output `assets/` directory, making them accessible. Additionally, the script downloads images from arbitrary URLs specified in the input document or via the `--cover` argument, allowing the agent to make network requests to arbitrary external endpoints. While these capabilities are related to the skill's stated purpose, they represent critical vulnerabilities that could be exploited by a malicious user providing crafted input, without clear evidence of intentional malicious behavior by the script author.
- External report
- View on VirusTotal