Back to skill
Skillv2.8.8
VirusTotal security
Huo15 Wecom Plugin · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 11:11 PM
- Hash
- 3d44dc6ee2fe871d344ae1aecacec63d8fe6354e975c711681242fb163f32e1b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: huo15-wecom Version: 2.8.8 The plugin implements a high-risk 'local path delivery' feature in src/capability/bot/local-path-delivery.ts that allows the AI agent to read and exfiltrate files from sensitive system directories (including /root, /home, and /Users) if a 'send intent' is detected in the user's message. This logic relies on a broad regex and heuristic intent check while bypassing the path-restriction checks (assertLocalMediaAllowed) used elsewhere in the bundle, creating a significant path traversal and data exfiltration vulnerability. Additionally, the MCP transport in src/capability/mcp/transport.ts fetches configuration URLs from the remote WeCom server, which could be exploited for SSRF attacks.
- External report
- View on VirusTotal