Back to skill
Skillv1.0.0
VirusTotal security
OSINT Social Analyzer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:45 AM
- Hash
- de499b60717d4c836f2b95962f56e6d8964aa229262b8edf7c713ad85cfa55a0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: osint-social Version: 1.0.0 The skill's stated purpose is legitimate OSINT, and its documentation includes clear ethical disclaimers. However, the `SKILL.md` instructions and `scripts/run_osint.sh` pass user-provided `{USERNAME}` directly into shell commands without explicit sanitization by the skill itself. This creates a shell injection vulnerability (RCE risk) if the OpenClaw agent does not properly sanitize the input before execution. While the `run_osint.sh` script quotes the username, this does not prevent all forms of injection if the agent constructs the initial command string poorly. The `pip3 install --break-system-packages` command also requests elevated installation permissions, which, while sometimes necessary, adds to the risk profile.
- External report
- View on VirusTotal