Back to skill
Skillv0.1.0
VirusTotal security
Spec Flow · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:28 AM
- Hash
- 31542f12f59164f762c32379922d8f5d2b6a16c42392c8712746ad834d86d23d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: spec-flow Version: 0.1.0 The skill's core purpose is a benign structured development workflow. However, it contains several vulnerabilities. The `scripts/execute-task.sh` script is vulnerable to shell injection via the `FEATURE_NAME` argument and potentially regex injection via task descriptions, as it directly uses unsanitized user-controlled input in `grep` and `sed` commands. Additionally, `scripts/validate-spec-flow.py` is vulnerable to path traversal, allowing it to read arbitrary files outside the intended spec directory. These flaws could allow an attacker to execute arbitrary commands or read sensitive files if they can control the input provided to the AI agent.
- External report
- View on VirusTotal