Back to skill
Skillv0.1.1
VirusTotal security
Listenhub · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:47 AM
- Hash
- 109488c692b6d11b2242953747d2c7062cd5f681dc6d2ee127d4185fca1c09bf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: listenhub-official-skills Version: 0.1.1 The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `scripts/generate-image.sh`. The `setup_config` function writes user-provided API keys and output directory paths directly into shell RC files (`~/.zshrc`, `~/.bashrc`) without sufficient sanitization. This allows an attacker (or a malicious AI agent) to inject arbitrary shell commands into these configuration files, which would be executed when the shell is sourced. For example, providing `lh_sk_...; rm -rf /` as an API key during setup would lead to command execution. Additionally, the `eval "$install_cmd"` in `check_dependencies` is a risky practice, although its immediate exploitability is limited by hardcoded dependency names. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation, but these vulnerabilities pose a significant risk of unauthorized command execution.
- External report
- View on VirusTotal