Back to skill
Skillv0.1.0
VirusTotal security
Intern PubChem Name Conversion · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:04 AM
- Hash
- 12be57e17a1ac1e1d22fc4ffae2f9144793b03e5b1d1e939f7094bc4a85de370
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: intern-pubchem-name-conversion Version: 0.1.0 The skill is suspicious due to a high-risk shell injection vulnerability. The `SKILL.md` instructs the agent to execute shell commands like `python3 -c '...' "$INPUT_VALUE"` and implicitly construct `curl` commands using user-controlled input (`INPUT_VALUE`). If the OpenClaw agent does not rigorously escape `INPUT_VALUE` before passing it to the shell, an attacker could inject arbitrary shell commands, leading to Remote Code Execution (RCE). While the skill's stated purpose is benign (PubChem conversion) and there's no evidence of intentional malicious behavior like data exfiltration or backdoors, the direct execution of user-controlled input in a shell context constitutes a critical vulnerability.
- External report
- View on VirusTotal