Back to skill
Skillv1.2.0
VirusTotal security
ClawTime Setup · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:21 AM
- Hash
- 73dc21e74b756de1078e403b628f00b1a3740caed9237334e8974842eda905b3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawtime-setup Version: 1.2.0 The skill bundle is classified as suspicious due to a shell injection vulnerability in `scripts/install.sh`. The `openclaw config patch` command directly interpolates the `PUBLIC_URL` variable without proper sanitization, allowing for arbitrary command execution if a malicious `PUBLIC_URL` is provided. Additionally, `SKILL.md` explicitly warns about a command injection vulnerability in the ClawTime server's `TTS_COMMAND` if user input is not sanitized, highlighting a significant risk in the application being installed, though not a direct vulnerability in the skill's execution itself. There is no evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or stealthy backdoors.
- External report
- View on VirusTotal