Back to skill
Skillv1.0.0
VirusTotal security
Angus Bounty Hunter · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:22 AM
- Hash
- 1c7999ffe1d7d4fd619a2c1a048e74a952867e546a03fb8bca1d6ba0bc61b5d2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: angus-bounty-hunter Version: 1.0.0 The skill bundle is classified as suspicious due to multiple critical shell injection vulnerabilities in `scripts/scan.sh` and `scripts/triage.sh`. Unsanitized user inputs (`REPO_URL`, `SRC_DIR`, `JSON_FILE`) are directly interpolated into shell commands (`git clone`, `grep`, `solc-select`, `python -c`, `curl -d`), allowing for arbitrary command execution (RCE) and potential path traversal. For example, `scripts/scan.sh` is vulnerable to shell injection via `REPO_URL` and `SRC_DIR`, and `scripts/triage.sh` is vulnerable to Python code injection and shell injection via `curl -d` due to unsanitized `JSON_FILE` content. These are severe vulnerabilities that could be exploited by a malicious actor, but do not show clear evidence of intentional malicious behavior by the skill author.
- External report
- View on VirusTotal