Back to skill
Skillv1.0.0
VirusTotal security
AI Revenue Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- a33be39cf848d5a40bf69b38dfa4b785fb7efebe5445b060a72c04928b100bb9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-revenue-tracker Version: 1.0.0 The `main.sh` script, designated as the primary entry point, exhibits a critical input sanitization vulnerability. When logging revenue via the `log` command, user-provided arguments ($2, $3, $4) are directly concatenated into the `logs/revenue.log` file without any escaping or sanitization. While the script's internal processing of this log file (using `grep`, `awk`, `sed`) does not immediately lead to shell injection, this flaw allows an attacker to inject arbitrary strings, including shell metacharacters, into a persistent log file. This creates a high-risk condition where subsequent processing of this log file or generated reports by other components (e.g., the AI agent itself, or other skills) could be vulnerable to command injection or other forms of exploitation.
- External report
- View on VirusTotal