Back to skill
Skillv1.0.0
VirusTotal security
Skillstore · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:06 AM
- Hash
- 01ebda56ca3c06c6fd69372f249a2bca372ba80231c47a16acbc44f81e6865e3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skillstore Version: 1.0.0 The `main.js` file contains a critical shell injection vulnerability (RCE) in the `installFromGitHub` function. It uses `child_process.exec` with unsanitized `repo` and `name` variables, which are directly sourced from GitHub API responses. A malicious GitHub repository with a crafted name could exploit this to execute arbitrary commands on the system when a user attempts to install it. Additionally, the `createNewSkill` function, when invoked via `skillstore create <name>`, is vulnerable to code injection as it embeds the unsanitized `<name>` argument directly into the generated `main.js` template, allowing for arbitrary code to be injected into newly created skills.
- External report
- View on VirusTotal