Back to skill
Skillv1.0.0
VirusTotal security
Magic Quill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:22 AM
- Hash
- eeac2ba66101a94746e109d8b08af27938a480b206b1cdfc141fc533c3c2fdf6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: magic-quill Version: 1.0.0 The skill is classified as suspicious due to several vulnerabilities. The `scripts/generate-spell-mapping.mjs` script allows for arbitrary file writes via the `--out` argument, which uses `path.resolve` without sanitization, enabling path traversal. Additionally, the skill performs Server-Side Request Forgery (SSRF) by fetching content from user-provided URLs (`--url`) and dynamically discovered URLs (via DuckDuckGo searches and recursive link following in `fetchSpellListReference` and `fetchLoreFromUrl` functions), without validating against internal network access. While these are significant risks, there is no evidence of intentional malicious behavior like data exfiltration or persistence mechanisms.
- External report
- View on VirusTotal