Back to skill
Skillv1.5.1
VirusTotal security
Scaffold · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:17 AM
- Hash
- 76ce88343c6e1a8e399110d28989190b111b63856b7b3c5a388cfffb70a6a249
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: solo-scaffold Version: 1.5.1 The skill is classified as suspicious due to critical vulnerabilities related to input sanitization and the broad use of powerful tools. Specifically, the `SKILL.md` directly uses unsanitized `$ARGUMENTS` (e.g., `project-name`) in `Bash` commands like `mkdir`, `cd`, and `gh repo create`. This creates a severe shell injection and path traversal vulnerability, potentially allowing an attacker to execute arbitrary commands or write files outside the intended project directory. Additionally, the skill generates a new `SKILL.md` for the scaffolded project, which itself grants `Bash` execution capabilities to the agent, posing a risk for persistent prompt injection or chained execution if the initial input is malicious.
- External report
- View on VirusTotal