Back to skill
Skillv1.0.2
VirusTotal security
macos-wechat-send · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:16 AM
- Hash
- cede386b80ccce5e4a4ae657bc6dbe781c104549910007550b2b4695f52a6d32
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: macos-wechat-send Version: 1.0.2 The skill contains a potential AppleScript injection vulnerability in `wechat-send.py` within the `copy_file_in_finder` function, where the `abs_path` variable is inserted directly into an AppleScript string without sanitization. An attacker providing a specially crafted file path containing double quotes could execute arbitrary AppleScript commands. Additionally, `wechat-send.sh` contains hardcoded local paths (e.g., `/Users/sincere/`), which is a poor security practice and indicates a lack of environment generalization. While the tool's primary purpose is legitimate UI automation for WeChat, these implementation flaws pose a risk of exploitation.
- External report
- View on VirusTotal