Back to skill
Skillv1.0.3
VirusTotal security
日本雅虎拍卖估价 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:36 AM
- Hash
- bb775fc7163f61ef8fafa2b60b8afffc00cc56dee369fcb4d760ed26455b75fd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yahoo-auction-estimator Version: 1.0.3 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/estimate.mjs`. User-provided auction IDs from `process.argv` are directly interpolated into a URL string, which is then passed to `execSync` within a `curl` command without proper shell escaping. This allows an attacker to execute arbitrary commands on the host system by crafting a malicious auction ID (e.g., `b1220553804; rm -rf /`). While the skill's stated purpose and network calls to Yahoo Auctions and aucfree.com appear legitimate, the lack of input sanitization for `execSync` constitutes a severe security flaw.
- External report
- View on VirusTotal