Back to skill
Skillv0.1.3
VirusTotal security
多平台私信合并助手 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:03 AM
- Hash
- 67f242ef859bd72677c20f8cf20618b9e41a95d2a3f48de9d0517b43fd2425e1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: multi-inbox-merge Version: 0.1.3 The skill is classified as suspicious due to a critical vulnerability in `scripts/fetch_dingtalk_messages.py`. This script fetches DingTalk messages using credentials (`DINGTALK_CLIENT_ID`, `DINGTALK_CLIENT_SECRET`, `access_token`) which are sent to a user-configurable `DINGTALK_MESSAGES_API_URL`. While the stated purpose is legitimate, the lack of validation or allowlisting for this URL means that if an attacker can control the `DINGTALK_MESSAGES_API_URL` environment variable, they could redirect sensitive DingTalk credentials and access tokens to an arbitrary malicious server, leading to data exfiltration. The `SKILL.md` instructions for the agent to check for this variable do not mitigate this content-based vulnerability.
- External report
- View on VirusTotal