Back to skill
Skillv1.0.1
VirusTotal security
Dev Task · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:20 AM
- Hash
- 9880df63e7ccc1da8aee6a62171e533083aed2d9344d63476d5400e4d4baa3e3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dev-task Version: 1.0.1 The skill bundle is suspicious due to critical shell injection vulnerabilities in both the `SKILL.md` instructions and the `scripts/init-version.sh` script. The `SKILL.md` instructs the AI agent to execute bash scripts for '版本封版' (version freeze) and '版本回滚' (version rollback) where user-provided version numbers (`$1`) are directly used in `cp -r` commands without sanitization, leading to potential remote code execution. Similarly, `scripts/init-version.sh` uses the `$VERSION` argument directly in `mkdir -p` and `sed -i` commands, making it vulnerable to shell injection and path traversal. While there is no clear evidence of intentional malicious behavior like data exfiltration or backdoors, the lack of input sanitization for commands executed by the agent constitutes a significant security risk.
- External report
- View on VirusTotal