Back to skill
Skillv1.0.0
VirusTotal security
Git Federation Searcher · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:32 AM
- Hash
- ba9f81f7a42439432d9b44ef3803529181cf32213f068ee5a01b29bf70b792a5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: git-federation-searcher Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `git_federation_searcher.py`. The `_web_search` function uses `subprocess.run(cmd, shell=True)` where `cmd` is constructed using an f-string that includes user-controlled input (`query`), allowing for arbitrary command execution. Additionally, the skill stores user-provided API tokens in plain text within `instances.json`, posing a data security risk. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, classifying these issues as vulnerabilities rather than malice.
- External report
- View on VirusTotal