Back to skill
Skillv1.0.0
VirusTotal security
wx-md-article · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:44 AM
- Hash
- 0dfc8055059c135058f28ee4438420b4ddd221e724e924e6c1850af98582170b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wx-md-article Version: 1.0.0 The skill bundle contains hardcoded WeChat API credentials (appid and appsecret) in config.json, which is a significant security risk. Additionally, wechat-article.sh is highly vulnerable to Remote Code Execution (RCE) because it uses double-quoted strings within sed commands (e.g., sed "s/{{TITLE}}/$title/g") to process user-supplied arguments, allowing for shell command substitution. While these represent critical security flaws, they appear to be unintentional vulnerabilities rather than intentional malicious logic.
- External report
- View on VirusTotal