Back to skill
Skillv1.0.0
VirusTotal security
Divination · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:22 AM
- Hash
- 646076708e5bc93fa22e139994b9aca8723906a758d054829f1d08acdfd3142b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: divination Version: 1.0.0 The skill bundle provides a divination toolkit using bash scripts and reference data. While the intent appears to be a legitimate 'oracle' feature for AI agents, the script `scripts/divine.sh` contains a shell injection vulnerability in the `dice` function. Specifically, the input argument for the number of sides is used directly within a bash arithmetic expansion `$(( ... ))` without sanitization, which allows for arbitrary command execution if a malicious user convinces the agent to pass a crafted string (e.g., `1+$(payload)`) as the dice parameter. This qualifies as a high-risk vulnerability, though no clear evidence of intentional malice was found.
- External report
- View on VirusTotal