Back to skill
Skillv2.0.1
VirusTotal security
Skill Template · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:48 AM
- Hash
- 9bbfb923e78aa8493fff5ebc1bac2d05264019f2cbd0f50aff6e8f1d19315a7a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-template Version: 2.0.1 The bundle contains multiple critical shell injection vulnerabilities in 'scripts/script.sh'. Functions such as 'cmd_add', 'cmd_run', and the internal '_log' utility use 'echo' with double-quoted variables (e.g., '$*', '$1') that do not sanitize user input, allowing for arbitrary command execution via command substitution (e.g., '$(payload)'). Additionally, the 'search' command in the same file is vulnerable to argument injection in 'grep' (e.g., using '--file' to read arbitrary files). While these are high-risk vulnerabilities, they appear to be unintentional coding flaws in a template scaffold rather than intentional malicious behavior.
- External report
- View on VirusTotal