Back to skill
Skillv1.0.0
VirusTotal security
Steel Browser · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:49 AM
- Hash
- 7b1866dcdad2f840ad378da03fd759e80af24e1f0b81a6e0bc633ad84250f0f8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: steel-browser Version: 1.0.0 Multiple shell scripts (e.g., `scripts/click.sh`, `scripts/eval_js.sh`, `scripts/navigate.sh`, `scripts/type.sh`) are vulnerable to shell injection. User-provided arguments are directly embedded into Python code executed via `python3 - <<PYEOF ... PYEOF` without proper sanitization. An attacker could terminate the Python string literal and inject arbitrary Python code, leading to remote code execution on the host system. This represents a critical vulnerability, but there is no clear evidence of intentional malicious behavior (such as data exfiltration or persistence mechanisms) by the skill author.
- External report
- View on VirusTotal