Back to skill
Skillv1.0.0
VirusTotal security
XY PubMed PDF Downloader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:31 AM
- Hash
- 4a0f9d111854b0f12d6b4b8ec385f78882dca5a8d1d3fc3bf36a321a10642429
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xy-pubmed-pdf-downloader Version: 1.0.0 The skill's stated purpose is benign, aiming to download academic PDFs from PubMed Central. The `SKILL.md` file does not contain any prompt injection attempts or malicious instructions for the agent. However, the `scripts/download_pmc_pdf.py` script contains a path traversal vulnerability. The `--filename` argument is used directly in path construction (`self.output_dir / filename`) without sanitization, allowing a user to specify an arbitrary path (e.g., `../../../evil.pdf`) to write the downloaded PDF file outside the intended output directory. While the script downloads content from legitimate sources (NCBI, Europe PMC) and does not execute the downloaded file, this vulnerability could lead to arbitrary file writes on the system.
- External report
- View on VirusTotal