Back to skill
Skillv1.0.1
VirusTotal security
Placed Job Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:18 AM
- Hash
- 5cf612155598873c188e509c2ec5b33fad1863187c603b5c0101aae93c7b513d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: placed-job-tracker Version: 1.0.1 The skill contains a shell injection vulnerability in the `placed_call` function defined in `SKILL.md`. The function insecurely embeds the `$args` variable directly into a `curl` command string, which could allow for arbitrary command execution if the agent is provided with malicious input. While the skill's stated purpose of tracking job applications via `https://placed.exidian.tech` appears legitimate, the lack of input sanitization in the shell-based API caller poses a significant security risk.
- External report
- View on VirusTotal