Back to skill
Skillv1.0.0
VirusTotal security
weather-query-ych · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:04 AM
- Hash
- a24a78c927995b7faec0e4d4c08c77394329c667db49c1af41fc8faf3337e4df
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: weather-query-ych Version: 1.0.0 The skill is classified as suspicious due to significant vulnerabilities related to input sanitization. The `agent.py` file directly interpolates user-provided `city` and `date` values into the API URL without validation, creating a URL injection/SSRF vulnerability. This could allow an attacker to manipulate the API endpoint or potentially target internal network resources if the environment permits. Additionally, the hardcoded API key is a security bad practice, and the naive input parsing `input_text.split("天气")[0]` further exacerbates the risk of malformed input reaching the vulnerable URL construction.
- External report
- View on VirusTotal