Back to skill
Skillv1.1.0
VirusTotal security
Security Guardian · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:03 AM
- Hash
- 9b4bc88d52cc83f0f857e51a074de5dc537a2aee30174edcb234ffab6f9458f7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: security-guardian Version: 1.1.0 The skill is classified as suspicious due to a shell injection vulnerability in `scripts/scan_container.sh`. The script directly passes the `$IMAGE_NAME` argument to the `trivy` command without proper sanitization or quoting, allowing for potential arbitrary command execution if a malicious image name is provided (e.g., `myimage; rm -rf /`). While the skill's stated purpose of security auditing is benign, this critical vulnerability allows for exploitation by a malicious actor controlling the input. Other files (`SKILL.md`, `scripts/scan_secrets.py`) appear benign and well-intentioned, with `scan_secrets.py` even including good security guardrails against scanning dangerous system paths.
- External report
- View on VirusTotal