Back to skill
Skillv1.0.0
VirusTotal security
Sales Rhythm Tracker — Alibaba Iron Army B2B Pipeline · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:28 AM
- Hash
- fc0b3b33f859edca0ba0297cc61f5f69c16fde934cc1ee07db23ed8dd8f7565b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sales-rhythm-tracker Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability present in `scripts/add-lead.sh` and `scripts/log-activity.sh`. These scripts directly embed unsanitized user-provided arguments into markdown files via heredocs, which could allow arbitrary command execution if the OpenClaw agent passes malicious input containing shell metacharacters. Additionally, the skill's reliance on complex 'AGENT INSTRUCTIONS' within its scripts and `SKILL.md` for parsing and modifying local markdown files, while not inherently malicious, presents a significant attack surface for prompt injection against the AI agent if its input sanitization and execution guardrails are insufficient. There is no evidence of intentional data exfiltration, backdoors, or unauthorized network activity.
- External report
- View on VirusTotal