Back to skill
Skillv1.0.1
VirusTotal security
MUD · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:43 AM
- Hash
- 4a03399bb14f74bb7be6f86f02f1a62006a589fd5889e92cd166f608f7dc75ad
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mud Version: 1.0.1 The skill is classified as suspicious due to the direct execution of user-controlled input via `subprocess.run` in `scripts/mud_cmd.py`. While `shlex.split` is used to parse arguments, mitigating direct shell injection, it still presents a risk of argument injection into the underlying `mud_agent.py` script or more sophisticated prompt injection attacks against the AI agent's interpretation of the command. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation, but the pattern of executing user-provided commands without robust input validation beyond `shlex.split` constitutes a significant vulnerability.
- External report
- View on VirusTotal