Back to skill
Skillv0.1.0
VirusTotal security
Nutrition Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:03 AM
- Hash
- 8799c1645e5c088e584c753175f4aa59ecb1ab6d61183beefa66fe8a893ddcd5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nutrition-tracker Version: 0.1.0 The skill contains a code injection vulnerability in `scripts/nutrition_init.sh`, where shell variables (like `--sex` or `--height`) are directly interpolated into an unquoted Python heredoc. This allows for arbitrary Python code execution if the input is maliciously crafted. While this is a significant security flaw, the skill's overall logic is consistent with its stated purpose of nutrition tracking in Obsidian, and there is no evidence of intentional data exfiltration, backdoors, or malicious intent.
- External report
- View on VirusTotal