Skillv1.0.0

VirusTotal security

vwu.ai gemini Models · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 6:32 AM

Hash: cff3b3a29bd5f0dd82ed4af349ecaf4619ba25685df471e4727e6ee4d99f045f
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: vwu-gemini Version: 1.0.0 The script `vwu-chat.sh` contains a command injection vulnerability because it expands the `$PROMPT` variable inside a double-quoted string within a `curl` command. This allows for arbitrary local command execution if the input contains shell metacharacters or substitutions (e.g., `$(...)` or backticks). While the bundle's stated purpose is to provide a wrapper for the `vwu.ai` API, the lack of input sanitization in the shell script constitutes a high-risk vulnerability.
External report: View on VirusTotal