Back to skill
Skillv0.1.0
VirusTotal security
Grupo Venus · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:45 AM
- Hash
- 08fb9760e48be1a1519085b2a0e4865b3d0e918571266ca2a646b55e43033c52
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: grupo-venus Version: 0.1.0 The skill bundle is designed to interact with `grupovenus.com` for astrological reports. It uses `curl` extensively to fetch and post data, and `python3` for URL decoding. The primary concern is the potential for shell injection vulnerabilities in `skill.md`. Multiple `curl` commands construct arguments using user-provided data (e.g., city names, person names, dates) without explicit instructions for the agent to sanitize or escape these inputs before execution. If the OpenClaw agent directly interpolates user input into these shell commands, an attacker could inject arbitrary shell commands. The use of `python3 -c` for URL decoding, while legitimate, also represents a powerful primitive that could be exploited if the input source (the `d0` cookie from `grupovenus.com`) were compromised. These are significant vulnerabilities, classifying the skill as suspicious rather than benign, despite no evidence of intentional malicious behavior.
- External report
- View on VirusTotal