Back to skill
Skillv1.0.0
VirusTotal security
Arrivelah · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:35 AM
- Hash
- f12bea9004cd4387bd644b58a0b0b4d223cac608e33e35ac246061d423cd8f86
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: arrivelah Version: 1.0.0 The `bus-arrival.sh` script is vulnerable to shell injection. It constructs a `curl` command using values (`API_URL` and `STOP`) directly read from `config.json` without proper sanitization. Since `SKILL.md` explicitly instructs users to edit `config.json`, a malicious user could inject arbitrary shell commands into fields like `defaultStop` or `apiUrl` within `config.json`, leading to remote code execution when the script is executed by the OpenClaw agent.
- External report
- View on VirusTotal