Back to skill
Skillv0.1.1
VirusTotal security
Cancorteaw App · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:27 AM
- Hash
- ef76505075bf7db29791326e76565f49826a5813b4164c45689162890ba449ff
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cancorteaw-app Version: 0.1.1 The skill is classified as suspicious because the core `appctl` script, which is responsible for all command execution and input sanitization, is not provided for review. The `skill.json` entrypoint directly passes raw user input (`{{args}}`) to this unseen script, which then performs high-risk operations like executing `npx` commands and writing files. While `SKILL.md` claims robust safety measures (allowlisting, path constraints), these are unverifiable without the `appctl` script, creating a significant potential for shell injection, path traversal, or arbitrary code execution if `appctl` is vulnerable. This represents a critical vulnerability rather than clear malicious intent in the provided files.
- External report
- View on VirusTotal