Back to skill
Skillv1.1.0
VirusTotal security
agent-self-governance · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:45 AM
- Hash
- 2c17e5429ed82647d218ef874a602cb9e35a398e9260393c434a34e9af0dae32
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-self-governance Version: 1.1.0 The skill bundle is suspicious primarily due to a critical shell injection vulnerability in `scripts/vbr.py`. The `check_command` and `check_git_pushed` functions use `subprocess.run(target, shell=True)` with unsanitized `target` input, allowing for arbitrary command execution if an attacker can control the input to these functions (e.g., via prompt injection to the agent). Additionally, `SKILL.md` instructs the agent to log sensitive infrastructure details and credentials (like SSH keys) into `TOOLS.md` or 'memory/encrypted/', which, while intended for internal use, presents a data handling risk if the storage mechanism is compromised or the agent is manipulated.
- External report
- View on VirusTotal