Back to skill
Skillv1.0.0
VirusTotal security
Birdfolio · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:11 AM
- Hash
- 3fcea8446b6068124c179fafd54daa7d871bb48f6451af8e3a5659a54bd6d3a0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: birdfolio Version: 1.0.0 The skill is classified as suspicious due to potential shell injection vulnerabilities in `SKILL.md` where user-controlled input (e.g., `{region}`, `<attachment path>`) is passed to `exec` without explicit sanitization, relying on the OpenClaw agent's robustness. Additionally, a clear Cross-Site Scripting (XSS) vulnerability exists in `scripts/generate_card.py` and `scripts/generate_checklist_card.py`, which embed unsanitized user/AI-generated text (e.g., `args.species`, `args.fun_fact`) directly into HTML templates. These vulnerable HTML files are then rendered by `scripts/screenshot_card.js` in a headless browser, allowing arbitrary JavaScript execution within that context. While the skill's functionality is aligned with its stated purpose, these flaws present significant attack surfaces.
- External report
- View on VirusTotal