Back to skill
Skillv1.0.0
VirusTotal security
CSV Data Explorer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 2, 2026, 5:38 AM
- Hash
- 99604c206ebf77f6fe48f09846f4f46791d8cd04ce77ed601600222bdd9b2ba3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: csv-data-explorer Version: 1.0.0 The skill bundle contains a code injection vulnerability in `scripts/main.py` within the `filter_dataframe` function. It utilizes `pandas.DataFrame.query` with `engine='python'`, which evaluates strings as Python expressions. While the author implemented a basic blacklist check for keywords like 'import' and 'exec', this is an insufficient security measure and can be bypassed to achieve arbitrary code execution. However, there is no evidence of malicious intent or data exfiltration, so it is classified as suspicious rather than malicious.
- External report
- View on VirusTotal