Back to skill
Skillv1.0.0
VirusTotal security
Workplace · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:08 AM
- Hash
- 71cac7a960ee915f09b826c924dfd7be528d18b1602d09e2923fe73d569a9771
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: workplace Version: 1.0.0 The skill is classified as suspicious due to a shell injection vulnerability found in `scripts/init_workplace.sh`. The script uses `sed` with direct variable substitution for the `--name` argument (e.g., `sed -e "s|__NAME__|$WP_NAME|g"`), which is user-controlled. An attacker could craft a malicious `--name` argument containing `sed` metacharacters (e.g., `|e /bin/sh #`) to achieve arbitrary command execution when the AI agent executes the `init_workplace.sh` script. This is a critical vulnerability, but not evidence of intentional malice within the skill itself.
- External report
- View on VirusTotal