Back to skill
Skillv1.0.0
VirusTotal security
Multi-Channel Income Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:56 AM
- Hash
- da40402395b3cdec3816dcc19ee34ba75cb62181c42231cc246c4658b1217a37
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: multi-channel-income-tracker Version: 1.0.0 The skill bundle implements an income tracker as described. While there are no direct signs of malicious intent such as data exfiltration, unauthorized command execution, or persistence mechanisms, the `tracker.js` script exhibits a lack of input sanitization for command-line arguments like `--source`, `--category`, and `--description`. These values are directly stored in JSONL files and later printed to the console without validation or escaping beyond what `JSON.stringify` provides. This vulnerability could potentially be exploited if the stored data were processed by another component (e.g., a different skill, a web UI, or a shell script) that does not properly sanitize these inputs, leading to potential injection attacks (e.g., shell injection, XSS). The `SKILL.md` file is benign and does not contain prompt injection attempts.
- External report
- View on VirusTotal