Back to skill
Skillv2.1.0
VirusTotal security
Knowledge Management · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 4:07 AM
- Hash
- 2df91c61d5eff41c21e85b4a8ffaaaa073de6ef1f7e286f0cb1070863e9e0a71
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: knowledge-management Version: 2.1.0 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability found in `index-local.js`. Specifically, the `LocalStorageManager.generateIndex()` function uses `eval()` to parse the `tags` array from YAML frontmatter within markdown files. An attacker could inject malicious JavaScript into the `tags` field of a crafted markdown file, leading to arbitrary code execution when the `km summarize` command is run. This appears to be an unintentional vulnerability rather than intentional malice, as indicated by the comment `// Safe since we control the format`.
- External report
- View on VirusTotal