Back to skill
Skillv2026.2.17
VirusTotal security
Skillstore · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:12 AM
- Hash
- 42f824b4de553325893c52fe410cde984598da8dfb3694c1c15b77754d39c496
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: glitch-skillstore Version: 2026.2.17 The `main.js` file uses `child_process.exec` to perform `git clone` operations for installing skills from GitHub. While the input variables (`repo` and `name`) are sourced from the GitHub API and GitHub repository naming conventions generally mitigate simple shell injection, the use of `exec` with external input is a high-risk capability that represents a potential Remote Code Execution (RCE) vulnerability. This is classified as suspicious due to the presence of a powerful primitive that could be exploited if input sanitization or source constraints were to change, rather than clear evidence of intentional malicious behavior like data exfiltration or backdoors.
- External report
- View on VirusTotal