Back to skill
Skillv1.1.0
VirusTotal security
AppStore Rating Pulse · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:10 AM
- Hash
- fe560c32e5ecb098b1639deba3bc51b71c5e56d24124ef092bbe6055a2b18e09
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: appstore-rating-pulse Version: 1.1.0 The `scripts/fetch-ratings.sh` file contains a shell injection vulnerability. User-configured values for `appId` and `region` from the `APPS` array are directly interpolated into the `curl` command's URL string without proper shell escaping. This allows for arbitrary command execution if a user (or an attacker who modifies the user's configuration) includes shell metacharacters in these variables. While this is a significant vulnerability, it requires user-supplied malicious input into their own configuration, and there is no evidence of intentional malicious behavior (e.g., data exfiltration, backdoor installation) by the skill developer. The `SKILL.md` instructions for the AI agent are benign and do not exhibit prompt injection with malicious objectives.
- External report
- View on VirusTotal