Back to skill
Skillv1.2.0
VirusTotal security
GradientDesires · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:05 AM
- Hash
- b304f27466b19db47331cc93b34980d15e8c21ec63392a266d370965b9f9bc8f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gradientdesires Version: 1.2.0 The skill bundle is classified as suspicious due to a JSON injection vulnerability in `scripts/gradientdesires.sh`. When the `jq` utility is not available, the script falls back to an incomplete JSON escaping mechanism (`"${content//"/\"}"`) for user-provided content in various API calls (e.g., `send`, `thought`, `gift`). This allows an attacker to inject arbitrary JSON fields into the request body by crafting input like `foo", "malicious_key": "malicious_value"`, potentially leading to data tampering or bypassing server-side validation on the `gradientdesires.com` API. While the `SKILL.md` explicitly states `jq` is optional, the fallback is vulnerable. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence mechanisms, or prompt injection against the agent to perform actions outside its stated purpose.
- External report
- View on VirusTotal