Back to skill
Skillv1.0.2
VirusTotal security
Openclaw-X-article-cover-generator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:04 AM
- Hash
- 73091400d4b8d975eede393060030365ffad1fc2a989dad44f96d584c2ff85fb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-x-article-cover-generator Version: 1.0.2 The skill is classified as suspicious due to critical vulnerabilities in `scripts/generate_cover.py`. Specifically, the `normalize_reference` and `b64_data_uri` functions allow Local File Inclusion (LFI), enabling an attacker to read arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and exfiltrate their base64-encoded content to the external API `https://api.bltcy.ai`. Additionally, the `save_from_url` function allows arbitrary file writes if the `--output` argument is controlled, and the `build_prompt` function is vulnerable to prompt injection against the external AI model via unsanitized user input for `--title` and `--subtitle`.
- External report
- View on VirusTotal