Back to skill
Skillv1.0.0
VirusTotal security
Caldav · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:27 AM
- Hash
- bea5e08da169eb5b7044e0582aacbb70550b943daff7a83ff6d513ce225bb9da
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: caldav-skill Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/radicale.py`. The `cmd_users_add` function passes the `args.username` directly to the `htpasswd` command via `subprocess.run` without proper sanitization, allowing for arbitrary command execution if an attacker can control the username input. Additionally, `scripts/calendars.py` has potential arbitrary file read/write vulnerabilities in its `cmd_export` and `cmd_import` functions, as it uses user-supplied paths (`--output`, `--file`) without apparent path validation, which could lead to path traversal or overwriting/reading sensitive files.
- External report
- View on VirusTotal