Back to skill
Skillv1.2.0
VirusTotal security
Feishu Sheet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:59 AM
- Hash
- 31c333f7891802810dc4a1c7bec69132b62773e41d2fe066f451da8620b4091b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: feishu-sheet Version: 1.2.0 The skill provides comprehensive Feishu Spreadsheet integration but contains several critical command injection vulnerabilities in `scripts/feishu-sheet.sh`. Specifically, functions like `action_insert_image` and `action_float_image` interpolate shell variables directly into Python code strings (e.g., `python3 -c "with open('$image_path','rb')..."`) without escaping, which allows for arbitrary Python code execution if the file path is manipulated via prompt injection. While the skill includes some security-conscious features like credential validation and per-user token caching in `/tmp`, the flawed implementation of its core logic poses a significant security risk.
- External report
- View on VirusTotal