Back to skill
Skillv1.1.0
VirusTotal security
Placed Resume Builder · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:18 AM
- Hash
- b6965f20a80b91e1b61019348724fa75b1b65336c69ece67aada3e7d1286f689
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: placed-resume-builder Version: 1.1.0 The skill `placed-resume-builder` contains a shell injection vulnerability in the `placed_call` function and an unsafe `source` command in `SKILL.md`. The `placed_call` function embeds unsanitized arguments directly into a `curl` command string, which could allow for arbitrary command execution. Additionally, the credential management logic uses `source` on a configuration file that is populated with user-provided input, creating another vector for command injection. While the skill's purpose of managing resumes via `https://placed.exidian.tech` appears legitimate, these high-risk vulnerabilities warrant a suspicious classification.
- External report
- View on VirusTotal