Back to skill
Skillv1.0.0
VirusTotal security
AgentMesh Governance · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:08 AM
- Hash
- 4c6b0fd83273f88c678b281a9cb015c6d1bc518dcfa75e33da0211f54208b05c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agentmesh-governance Version: 1.0.0 The skill is classified as suspicious due to a critical Python code injection vulnerability present in all shell scripts (`scripts/*.sh`). User-controlled arguments (e.g., `--agent`, `--action`, `--policy`) are directly interpolated into the `python3 -c "..."` command strings without proper sanitization. This allows an attacker, or a malicious prompt to the AI agent, to inject arbitrary Python code and achieve Remote Code Execution (RCE). While the stated purpose of the skill is governance and security, this severe vulnerability allows for malicious exploitation, fitting the definition of a flaw that *allows* attacks rather than intentional malware.
- External report
- View on VirusTotal