Skillv1.0.0

VirusTotal security

Konto API · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 4:45 AM

Hash: ec68c5a6769d00d13cceab5e71b803f95a66f2eb9f060ee97955ebf1679028e9
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: konto-api Version: 1.0.0 The skill is classified as suspicious due to shell injection vulnerabilities found in `scripts/konto.sh`. The script directly interpolates unsanitized command-line arguments (`$2`, `$3`) into `curl` commands for the `transactions` and `analytics` endpoints, which could allow for arbitrary command execution if an attacker can control the input provided to the script. For example, passing `category=foo&$(evil_command)` to the `transactions` endpoint could execute `evil_command`. This is a vulnerability, not evidence of intentional malice.
External report: View on VirusTotal