Back to skill
Skillv1.0.0
VirusTotal security
github-helper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:10 AM
- Hash
- f5eaf466598f325764fe1b6d97ba5ca2904d52513df16e3cf66cded75ce95418
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: github-helper Version: 1.0.0 The skill is classified as suspicious due to multiple potential shell injection vulnerabilities outlined in `SKILL.md`. The instructions explicitly show direct execution of `git clone <repo-url>` and `gh` CLI commands (e.g., `gh search repos <query>`, `gh issue list --repo <owner/repo>`). If the `<repo-url>`, `<query>`, or `<owner/repo>` arguments are derived from untrusted user input without proper sanitization by the agent, this could lead to arbitrary command execution (RCE). While the Python scripts themselves are benign, the way they are instructed to be called, and especially the `git` and `gh` commands, present a significant security risk.
- External report
- View on VirusTotal