Back to skill
Skillv1.0.0
VirusTotal security
Telegram Media · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:14 AM
- Hash
- bc08e7f9abfb601d74ab4ec9b9142fb05ba3f977cd8567c904f896051aadb731
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: telegram-media Version: 1.0.0 The skill's core functionality (sending media via Telegram, generating voice notes) is benign. However, the `SKILL.md` contains multiple `python3 -c "..."` command templates that incorporate placeholders for file paths (`PHOTO_PATH`, `FILE_PATH`), captions (`CAPTION_HERE`), and text (`TEXT_TO_SPEAK`). If an AI agent directly interpolates untrusted user input into these placeholders without proper sanitization, it could lead to shell injection, allowing arbitrary command execution. This represents a significant vulnerability (lack of input sanitization) in the skill's design, classifying it as suspicious.
- External report
- View on VirusTotal