Back to skill
Skillv1.4.0
VirusTotal security
SecondMind · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:46 AM
- Hash
- eb4d942b3699f54815d3d50a5726eedcaaef48bf1c0038d5649c85fb22b70fb3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: secondmind Version: 1.4.0 The skill is classified as suspicious due to significant shell injection vulnerabilities (RCE risk) present in the `SKILL.md` instructions. The AI agent is explicitly instructed to execute shell commands with user-provided arguments (e.g., `/accept <ID...> [comment]`, `/proposals [filter]`, `/smsearch <query>`). If the OpenClaw agent concatenates user input directly into these commands without proper sanitization, it could lead to arbitrary code execution. Additionally, `AGENT-SETUP.md` poses prompt injection risks by instructing the agent to handle sensitive configuration (API keys, paths) and execute setup scripts. While the core functionality and LLM prompts appear benign and include self-imposed safeguards against sensitive data, these vulnerabilities allow for potential exploitation by a malicious user.
- External report
- View on VirusTotal