Back to skill
Skillv1.1.0
VirusTotal security
Pyx Scan · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:50 AM
- Hash
- 385cb88a9abbd77da8e79e07c4aae5eb4b43206964f21915286a8d9aa4c1768a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pyx-scan Version: 1.1.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `SKILL.md`. User-controlled input (`owner` and `name` from `$ARGUMENTS`) is directly interpolated into a `curl` command without proper sanitization (Step 2). The `allowed-tools: Bash(curl *)` explicitly permits `curl` with arbitrary arguments, allowing an attacker to inject shell metacharacters and execute arbitrary commands on the agent's host system. While the stated purpose of checking skill safety is benign, this implementation flaw presents a significant remote code execution risk.
- External report
- View on VirusTotal