Back to skill
Skillv1.0.0
VirusTotal security
Remote Install · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 28, 2026, 5:11 AM
- Hash
- 7e54b8e5273f77ea66ce9015884e79cac9fd72955aa3388628f7d49e8b1cd95f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: remote-install Version: 1.0.0 The skill bundle provides automated remote software installation by programmatically controlling the RustDesk remote desktop client and using GUI automation (pywinauto/pyautogui). While the behavior aligns with the stated purpose in SKILL.md, the script scripts/remote_installer.py contains a shell injection vulnerability in the run_command function due to the use of subprocess.run(shell=True) with unsanitized input. The capability to automate remote access credentials and perform high-privilege GUI interactions (clicking 'Next' and 'Install' buttons) poses a significant security risk if the agent is manipulated via prompt injection, though no clear evidence of intentional malice or data exfiltration was found.
- External report
- View on VirusTotal