Back to skill
Skillv1.1.0
VirusTotal security
Agent Ping · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:50 AM
- Hash
- c8873324fa68d102127831fd5a9bf33977584717a87d9d6042e6c295b70ff336
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-ping Version: 1.1.0 The skill is classified as suspicious due to a shell injection vulnerability in `scripts/agent-ping.sh`. The `$DOMAIN` variable, which is user-controlled input, is directly used within double-quoted strings in `curl` and `dig` commands (e.g., `curl "https://$DOMAIN"`). This allows an attacker to inject and execute arbitrary shell commands by crafting a malicious domain name (e.g., `example.com; rm -rf /`). While the skill's stated purpose involves network requests, this lack of input sanitization creates a critical remote code execution risk. There is no evidence of intentional malicious behavior like data exfiltration or persistence mechanisms.
- External report
- View on VirusTotal