Back to skill
Skillv3.0.0
VirusTotal security
Github Actions Gen · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:57 AM
- Hash
- 9c715a055e5b39237425c44f855ddf98c8f08285225c77d36d1e35805d77eecf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: github-actions-gen Version: 3.0.0 The script 'scripts/script.sh' contains multiple shell injection vulnerabilities due to unquoted variables and improper argument handling in functions like 'cmd_lint', 'cmd_optimize', and 'cmd_secrets'. Specifically, the script uses '$2' without quotes in file-system operations and grep commands, which could allow arbitrary command execution if a crafted filename is provided. While these appear to be unintentional logic errors (off-by-one argument indexing after a shift), the high-risk nature of the resulting vulnerabilities meets the criteria for a suspicious classification.
- External report
- View on VirusTotal