Back to skill
Skillv1.0.0
VirusTotal security
Jwt Debugger · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 12:01 AM
- Hash
- f6fac6b144850e75e9f74eb66be81bb72f28f5be39c1734a36564939a73b9b85
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: jwt-debugger Version: 1.0.0 The skill provides JWT debugging utilities but contains code injection vulnerabilities in SKILL.md. Specifically, the 'validate' command templates use direct string interpolation of variables like $TOKEN and $SECRET into Python scripts executed via 'python3 -c', which could allow arbitrary code execution if the inputs are not properly sanitized. While the functionality aligns with the stated purpose and no evidence of intentional malice or data exfiltration was found, the insecure handling of user-controlled variables in command examples is a high-risk flaw.
- External report
- View on VirusTotal