Back to skill
Skillv0.1.2
VirusTotal security
Fletcher Cyber Security Engineer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:57 AM
- Hash
- 1f19472d9f42bcc22f804abd770b89c3929d5a31aa1ac72855003debad04ba17
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fletcher-cyber-security-engineer Version: 0.1.2 The skill bundle is designed for security hardening and governance, but contains two significant vulnerabilities. The `scripts/notify_on_violation.py` script uses `subprocess.run(..., shell=True)` with a command taken from an environment variable (`OPENCLAW_VIOLATION_NOTIFY_CMD`) and input derived from a JSON report. This creates a shell injection vulnerability if an attacker can control the report content or the environment variable. Additionally, `scripts/live_assessment.py` allows overriding the `openclaw` binary path via `~/.openclaw/openclaw-bin-path.txt`, which could lead to arbitrary code execution if an attacker can write to this local file. These are vulnerabilities that allow attacks, not proof of intentional malice.
- External report
- View on VirusTotal