Back to skill
Skillv2.0.1
VirusTotal security
Skill Safe Install · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- 8e92a5042e83f25594511a99aca9ac23d7fbf3acac645d06aa5d744aa460bb67
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-safe-install Version: 2.0.1 The skill's stated purpose is to enhance security by vetting other skills, which is benign. However, the `scripts/safe-install.mjs` script uses `child_process.execSync` to execute `clawhub` commands with user-provided `skillName` input. Although the `skillName` is double-quoted, this is insufficient to prevent shell injection if a malicious `skillName` contains crafted characters (e.g., `"; evil_command; echo "`). This constitutes a critical shell injection vulnerability (RCE risk) that could allow an attacker to execute arbitrary commands on the system, classifying the skill as suspicious despite its benevolent intent.
- External report
- View on VirusTotal