Back to skill
Skillv1.1.0
VirusTotal security
Competitor Watch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:47 AM
- Hash
- e286a97850ff197809d579b38eb37192db64b465f5eff073007f4faa425d8d08
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: competitor-watch Version: 1.1.0 The skill bundle is highly suspicious due to critical shell injection and prompt injection vulnerabilities. The `scripts/check.sh` script directly interpolates user-controlled `$page_url` (from `config.json`) into a `clawd web_fetch` command without proper shell escaping, leading to a Remote Code Execution (RCE) risk. Additionally, `scripts/report.sh` constructs alert messages (`$formatted_report`) that include content directly from fetched web pages (`added`, `removed`) and passes them to a simulated `clawd message send` command, creating a prompt injection vulnerability against the OpenClaw agent. An attacker controlling competitor URLs or content could exploit these flaws to execute arbitrary commands or manipulate the agent's behavior.
- External report
- View on VirusTotal