Back to skill
Skillv1.0.9
VirusTotal security
Kimi Websearch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:49 AM
- Hash
- accdcb05a6fe1bfc25ad09568c60d6bf519a9f38c4def817b3e75247e5de23ff
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kimi-websearch Version: 1.0.9 The skill provides a legitimate interface for Kimi/Moonshot web search but is classified as suspicious due to a potential shell injection vulnerability. In SKILL.md, the agent is instructed to execute `web_search.py` by passing the user's query directly into a shell command within double quotes, which could lead to arbitrary command execution if the input is not properly sanitized by the calling agent. The Python script itself (scripts/web_search.py) appears benign, correctly handling API keys via environment variables and communicating with the official Moonshot API (api.moonshot.cn) to perform its stated function.
- External report
- View on VirusTotal