Back to skill
Skillv0.1.0
VirusTotal security
Zhy Markdown2wechat · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:26 AM
- Hash
- 567ac7fee0edd4488d15841cc91bae486d0f6cdcaf88ae3b94574a92358f0ec4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: zhy-markdown2wechat Version: 0.1.0 The skill converts Markdown to WeChat-compatible HTML using a Node.js script (scripts/convert.js) that dynamically installs dependencies (marked, juice) via 'npm install' at runtime. While this supports the stated 'zero deployment' goal, the use of child_process.execSync and the lack of input sanitization on file path arguments (mdPath, cssPath, outPath) present risks for command injection and path traversal. These behaviors appear to be risky implementation choices rather than intentional malware, but the automated execution of shell commands and dynamic package fetching warrants a suspicious classification.
- External report
- View on VirusTotal