Back to skill
Skillv1.0.0
VirusTotal security
Openclaw Switch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:25 AM
- Hash
- dc3770851db0fbf194ce63faae53e85ecc16daddabc731bfd6a94a05cb06c1b7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-switch Version: 1.0.0 The `set_primary` function in `scripts/openclaw-switch.sh` is vulnerable to Python code injection. The model ID, which is used as input to this function, is directly interpolated into a Python string without proper sanitization. This creates a second-order code injection vulnerability: if the `openclaw.json` file contains a maliciously crafted model ID (e.g., `model-1'; import os; os.system('echo pwned') #`), selecting this model via the `switch` command would execute arbitrary Python code. While the script itself does not exhibit malicious intent, this vulnerability could lead to Remote Code Execution if the configuration file is compromised or contains untrusted entries.
- External report
- View on VirusTotal