Back to skill
Skillv1.0.0
VirusTotal security
Keepa Api · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:52 AM
- Hash
- 4367c9877e03a3082bcc3ec37d6f4d9dce80c9e9a7942a900c86a244d195585b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: keepa-api Version: 1.0.0 The skill bundle is designed for a legitimate purpose (Keepa API client). However, the `scripts/keepa.sh` script contains a URL parameter injection vulnerability in the `cmd_search` function. The `query` parameter, which is user-controlled, is only partially URL-encoded (spaces replaced with '+') before being embedded into the `curl` request. This allows other URL special characters (e.g., '&', '=') to be injected, potentially manipulating the API request to `api.keepa.com` by overriding or adding parameters. While this is a vulnerability and not clear evidence of intentional malice (e.g., exfiltration to an attacker-controlled server), it represents a significant security flaw in input sanitization.
- External report
- View on VirusTotal