Back to skill
Skillv1.0.0
VirusTotal security
Hledger · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:46 AM
- Hash
- 48ed760a7d5cb84bf9dc0e1b141c6d378033730ab0d637c1c8dd929ad5d592b8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hledger Version: 1.0.0 The `index.js` file directly concatenates user `input` into a `child_process.exec` call without any sanitization, leading to a critical shell injection vulnerability. This allows arbitrary command execution on the host system, despite the `SKILL.md` documentation claiming that the skill 'does not allow arbitrary shell execution'. This is a severe vulnerability, not intentional malice.
- External report
- View on VirusTotal