Back to skill
Skillv1.0.0
VirusTotal security
pinyin-box · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 21, 2026, 1:51 PM
- Hash
- e2b7f8b42d6bac97574155560b491131c46e0c843bde158010c5590bedb48552
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pinyin-box Version: 1.0.0 The skill is classified as suspicious due to a high risk of shell injection in SKILL.md, which instructs the AI agent to pass user-provided text directly into a CLI command (`pinyin-box -t "文本内容"`) without explicit sanitization. Additionally, the requirements.txt file specifies a direct download of a Python wheel from a GitHub repository (github.com/yanglinzhen/pinyin-box) instead of a standard package registry, which introduces a supply chain risk. While the stated purpose of generating Pinyin practice sheets appears legitimate, these implementation flaws could allow for unauthorized command execution.
- External report
- View on VirusTotal