Back to skill
Skillv1.0.0
VirusTotal security
Smart Skill Finder · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 9:43 AM
- Hash
- 7cd2d00d012c593b5c5974561c7c273194679e640d9bef8328d113c551b7e090
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: smart-skill-finder Version: 1.0.0 The skill bundle contains a critical shell injection vulnerability in `scripts/ecosystems.py`. The code uses `subprocess.run(shell=True)` to execute CLI commands with unsanitized input derived from user queries, which could allow arbitrary command execution on the host system. While the bundle's documentation in `SKILL.md` and `README.md` describes a legitimate utility for discovering AI agent skills and explicitly advises against automatic installation, the insecure implementation of the search logic poses a significant security risk. No evidence of intentional malicious behavior, such as data exfiltration or backdoors, was found.
- External report
- View on VirusTotal