Back to skill
Skillv1.0.0
VirusTotal security
Pt Site · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:46 AM
- Hash
- 3ad8a8a880a8e0029eb8b8b44cd0b25fe605a4bcf5158d886291d49ee5c9671e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pt-site Version: 1.0.0 The `scripts/pt-search.sh` file contains a shell injection vulnerability. The `$SITE` variable, which is derived from user input, is directly interpolated into a `jq` command (`jq -r ".sites[\"$SITE\"]" "$CRED_FILE"`). A malicious `$SITE` value could break out of the `jq` string and execute arbitrary commands, leading to potential Remote Code Execution. While the skill's stated purpose involves handling sensitive credentials (cookies) and performing network requests, which carries inherent risk, there is no clear evidence of intentional malicious behavior like data exfiltration or persistence mechanisms.
- External report
- View on VirusTotal