Back to skill
Skillv1.0.0
VirusTotal security
Tmp Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:46 AM
- Hash
- ba68b77c739a0fdc8d5f937c1d0ad8e74d04b6f89028820bef361c1a19e7e5c1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tmp-skill Version: 1.0.0 The skill bundle is classified as suspicious due to a shell injection vulnerability found in `scripts/lead-tracker.sh`. Specifically, the `search` command passes user-controlled input (`$2`) directly to `grep` without proper quoting, allowing for arbitrary command execution (RCE). While the overall purpose of the skill appears benign, this critical flaw could be exploited by an attacker or a compromised agent to execute commands on the host system.
- External report
- View on VirusTotal