Back to skill
Skillv0.1.0
VirusTotal security
UA1 Validator Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:11 AM
- Hash
- 8b9b7a32db9c9f8b4df424e7d42d560b4158bf1431e35b46e6a9e201971e6796
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ua1-validator-agent Version: 0.1.0 The skill executes a bash script (`scripts/validate_pdf.sh`) with a user-provided file path. While the script includes a file existence check and uses `curl -F "file=@${FILE_PATH}"` (which is generally robust against shell injection within the filename itself), the direct execution of a shell script with an unsanitized argument from the agent's perspective poses a potential shell injection vulnerability. If the OpenClaw agent does not properly quote or sanitize the `FILE_PATH` argument before invoking the script, an attacker could inject arbitrary commands. This is a vulnerability that allows attacks, not intentional malice.
- External report
- View on VirusTotal