Back to skill
Skillv1.0.0
VirusTotal security
blog-to-kindle · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 22, 2026, 2:31 AM
- Hash
- 1cc4aa977ff992dfa8c04953fdb6417b92c1386c389a90f0f77ad57fc61f21df
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: toby-blog-to-kindle Version: 1.0.0 The skill bundle contains a hardcoded default Kindle email address (simonpilkington74_8oVjpj@kindle.com) in scripts/send_to_kindle.py and SKILL.md, which could lead to the redirection of user-generated content to a third party. Furthermore, scripts/send_to_kindle.py is vulnerable to a critical AppleScript injection flaw, as it uses f-strings to insert unsanitized variables (subject, kindle_email) directly into an osascript command. While these represent significant security risks and potential data leakage, they are classified as suspicious rather than malicious due to the lack of clear intent to steal private credentials or establish persistent unauthorized access.
- External report
- View on VirusTotal