Back to skill
Skillv1.0.0
VirusTotal security
Apple Contacts · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:02 AM
- Hash
- 08aa1d3771c1221a417c8bd81cd62fc88dbdd24dbc9b2ffc9d3a289fbe5596cc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mac-contacts Version: 1.0.0 The `scripts/mac-contacts.py` file contains a critical shell injection vulnerability in the `cmd_remove_from_list` function. This function uses `osascript` to interact with macOS Contacts.app, and the `args.name` and `args.list` inputs are insufficiently sanitized using `replace('"', '\"')` before being embedded into an AppleScript string. This allows an attacker to inject arbitrary AppleScript commands, including `do shell script` commands, leading to remote code execution on the host system. While the skill's stated purpose is benign, this severe vulnerability makes it suspicious.
- External report
- View on VirusTotal