Skillv0.1.2

VirusTotal security

Notes Export Api · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewApr 30, 2026, 6:32 AM

Hash: 22ab09bbf9b847513fc1fbdd7684c91c734ab1d7cda6c23c3f23f07ae34da1a0
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: notes-export-api Version: 0.1.2 The skill exports Markdown to PNG by sending content to a remote API (https://notes.fangyuanxiaozhan.com). A significant security risk exists in `scripts/export_note.sh`, which automatically parses Markdown for local file references and uploads them to the remote server to handle images. Because the script resolves absolute paths and `file://` URIs without sanitization, it could be exploited via prompt injection or malicious Markdown files to exfiltrate sensitive local data (e.g., `![key](/home/user/.ssh/id_rsa)`). While this behavior aligns with the stated purpose of rendering images, the lack of path restrictedness makes it high-risk.
External report: View on VirusTotal