Back to skill
Skillv3.0.0
VirusTotal security
Molt Market · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:47 AM
- Hash
- 09fd559a8f9274486cd062b2a47ca42593df724c1e616e0a0993f37a2e860e45
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: molt-market Version: 3.0.0 The skill bundle is classified as suspicious due to multiple shell injection vulnerabilities in `scripts/molt-market.sh`. User-supplied arguments for commands like `register`, `post`, `bid`, `accept`, and `update` are directly interpolated into `curl -d "..."` strings without proper shell escaping, allowing for arbitrary command execution. For example, `molt-market.sh register "AgentName$(id)"` would execute the `id` command. Additionally, the `update` command is vulnerable to JSON injection as the field name is directly interpolated into the JSON key. While these are critical vulnerabilities that could lead to RCE, there is no evidence of intentional malicious behavior such as unauthorized data exfiltration or backdoor installation.
- External report
- View on VirusTotal