Back to skill
Skillv0.6.1
VirusTotal security
SpecClaw · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 30, 2026, 4:56 AM
- Hash
- cc376acaaaa11e3e640b53a4923cc89663a2d7c0b06fdb03b49a77417f530afc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: specclaw Version: 0.6.1 The specclaw skill bundle implements a complex spec-driven development framework that orchestrates sub-agents to automate code changes. It is classified as suspicious due to the use of 'eval' in 'scripts/build.sh' and 'scripts/verify.sh' to execute shell commands (test, lint, and build) defined in the 'config.yaml' file. This creates a significant Remote Code Execution (RCE) vulnerability if the configuration is manipulated. Additionally, 'scripts/gh-sync.sh' handles GitHub authentication tokens to interact with the GitHub API (api.github.com). While these capabilities are aligned with the stated purpose of a build and synchronization engine, the lack of input sanitization for executed commands represents a high-risk behavior without evidence of intentional malice.
- External report
- View on VirusTotal