Back to skill
Skillv1.3.0
VirusTotal security
SkillMetricScraper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:53 AM
- Hash
- be5c79c0952dba46ab8314756f8ae24f1eb860dca7fe3406af03d8af7ecf6c46
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skillmetricscraper Version: 1.3.0 The skill is classified as suspicious due to a shell injection vulnerability in the main `SKILL.md` file. The instruction `python3 run_weekly.py --top 10 --episode ${EPISODE_NUM:-1}` directly substitutes the `${EPISODE_NUM}` variable with user input. If the OpenClaw agent does not sanitize this input, a malicious user could inject arbitrary shell commands (e.g., `1; rm -rf /`), leading to Remote Code Execution (RCE). While the Python code itself appears to align with its stated purpose of tracking skill metrics and community signals, this vulnerability in the agent's execution instructions poses a significant risk.
- External report
- View on VirusTotal