Back to skill
Skillv1.0.4
VirusTotal security
Inner Life Core · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:41 AM
- Hash
- 60ffdbac004a64cc4273cfdba2db51ed4a25424e13b6b6c94369a72ca2e06d4a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: inner-life-core Version: 1.0.4 The skill is classified as suspicious due to a critical remote code execution (RCE) vulnerability found in `scripts/state.sh`. The `_validate_jq_path` function, intended to sanitize `jq` paths, is too permissive, allowing arbitrary `jq` expressions including `system()` or `exec()` calls. This means that if an attacker can control the `path` argument to `state_read` or `state_write` functions, they could execute arbitrary shell commands. While this is a severe vulnerability, there is no clear evidence of intentional malicious exploitation within the provided skill files, thus it is categorized as suspicious rather than malicious.
- External report
- View on VirusTotal