Back to skill
Skillv1.0.0
VirusTotal security
HabitChat · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:09 AM
- Hash
- a5d6b279ca4a5f0a316cfda6f857f6685077357607957ab186a115798d04170a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: habitchat Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/reminder.py`. The script directly interpolates user-controlled input (`habit["name"]`) into shell commands within generated reminder scripts and cron job instructions without proper sanitization. This allows for arbitrary command execution (RCE) when the generated scripts are executed by cron, potentially leading to system compromise or data deletion (e.g., `echo "... my habit"; rm -rf /; echo "..."`). While there is no evidence of intentional malicious behavior like data exfiltration to external endpoints, this severe vulnerability poses a significant security risk.
- External report
- View on VirusTotal