Skillv1.0.0

VirusTotal security

Goal Setter · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewApr 30, 2026, 6:11 AM

Hash: f12f7d257563c0638673b5a0d5f623879314a27a3519f85b5db6003d1ee27fb4
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: goal-setter Version: 1.0.0 The script `scripts/goal_setter.sh` contains multiple critical code injection vulnerabilities where unsanitized shell variables (such as `$goal`, `$step`, and `$pct`) are embedded directly into Python commands executed via `python3 -c` and heredocs. This allows for arbitrary Python code execution if a user or a malicious prompt provides a crafted input string. While the tool's logic appears to align with its stated purpose of goal tracking and no evidence of intentional malice or data exfiltration was found, the high-risk nature of these vulnerabilities warrants a suspicious classification.
External report: View on VirusTotal