Back to skill
Skillv0.1.0
VirusTotal security
GH Triage · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:13 AM
- Hash
- 92f4edf3271b9341a11858af5fb85796dd0074dab56a978bc6f196653436124d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gh-triage Version: 0.1.0 The skill includes a script `auto_fix.js` that clones external repositories and executes `npm ci`, `npm run lint`, and `npm test` within the cloned directory. This design introduces a critical Remote Code Execution (RCE) vulnerability because it allows untrusted code from a triaged repository to execute arbitrary commands on the host system via npm lifecycle scripts or test suites. While these actions are aligned with the stated goal of automated PR fixes, the lack of sandboxing for third-party code execution poses a significant security risk.
- External report
- View on VirusTotal