Back to skill
Skillv1.0.3
VirusTotal security
ThermikBuddy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:17 AM
- Hash
- 118e78c3383cd7710278f081dfe118a7e4216612f359962fda780460912f488d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: thermikbuddy Version: 1.0.3 The skill is classified as suspicious due to a potential shell injection vulnerability. The `SKILL.md` file instructs the OpenClaw agent to execute local Python scripts with user-provided arguments (e.g., `--name <user_input>`). If the agent's runtime environment does not properly sanitize or quote these user inputs before passing them to the shell, an attacker could inject arbitrary shell commands. While the Python scripts themselves use `argparse` safely, the instruction template in `SKILL.md` exposes this critical vulnerability in the agent's execution model. There is no evidence of intentional malicious behavior like data exfiltration or persistence within the skill's code, which otherwise performs legitimate weather forecasting by fetching data from `api.open-meteo.com` and `dhv.de`.
- External report
- View on VirusTotal