Back to skill
Skillv1.0.1
VirusTotal security
Currency Converter · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:27 AM
- Hash
- f8b8e46e60529129de77545a696d7e2a729ba009c6eb42e7db92d6f6787fff3b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: currency-converter Version: 1.0.1 The `SKILL.md` file instructs the AI agent to construct a shell command (`python3 currency_converter.py ...`) by directly embedding user-provided parameters (`{金额}`, `{原始货币代码}`, `{目标货币代码}`). This design introduces a shell injection vulnerability, as a malicious user could potentially inject arbitrary commands if the AI agent does not properly sanitize or escape these parameters before execution. While the `currency_converter.py` script itself is benign, uses `argparse` for robust argument handling, and performs legitimate network requests to `api.exchangerate-api.com` for currency data, the method of command construction in `SKILL.md` poses a significant security risk.
- External report
- View on VirusTotal