Back to skill
Skillv3.4.0
VirusTotal security
Localsend · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- 20a1302260e11e984b29022704af5416e977cc6dc75ab035d62dd3815a1d2255
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: localsend Version: 3.4.0 The skill bundle is suspicious due to multiple shell injection vulnerabilities identified in `SKILL.md`. User-provided file paths, text content, and glob patterns are directly interpolated into shell commands (e.g., `localsend-cli send`, `echo`), creating critical Remote Code Execution (RCE) risks if not properly sanitized by the agent. Additionally, the `curl` based installation method for `localsend-cli` introduces a supply chain vulnerability by fetching and executing a remote script from GitHub, which could be compromised. These issues represent significant security flaws rather than explicit malicious intent.
- External report
- View on VirusTotal