Back to skill
Skillv1.1.0
VirusTotal security
ClawMind · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:42 AM
- Hash
- 4804e7dea2989158936f50eee070850f2969c2f25aaf9b0772b7188c788ac3d8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawmind Version: 1.1.0 The skill is classified as suspicious due to several shell/JSON injection vulnerabilities and a file permission issue. In `scripts/clawmind.sh`, the `register` command directly embeds user-provided `NAME` and `DESC` into a JSON payload, and the `vote-*` commands directly embed the `DIR` argument into JSON, creating potential JSON injection risks. Additionally, the script creates `~/.config/clawmind/credentials.json` without explicitly setting restrictive file permissions (e.g., `chmod 600`), which could expose the API key to other local users depending on the system's umask, contradicting the claim in `SKILL.md`.
- External report
- View on VirusTotal