Back to skill
Skillv1.0.0
VirusTotal security
Workflow · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:01 AM
- Hash
- ddf57dc5ceef21c48ca86e126ee61f9b2bf53734c149a219d21d4b507a26f658
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: workflow Version: 1.0.0 The skill bundle is primarily documentation for building automated workflows using standard Unix tools. It is classified as 'suspicious' due to a critical shell injection vulnerability identified in the `components.md` file, specifically within the 'Webhook Router (webhook-server.sh)' example. The example code directly uses an unsanitized `PATH` variable, derived from an incoming webhook request, to construct a `WORKFLOW` variable which is then used in a `cd` command and to execute `./run.sh`. This allows an attacker to inject arbitrary shell commands via the webhook path, leading to potential Remote Code Execution (RCE) if this example is implemented without proper input sanitization. There is no evidence of intentional malicious behavior, but this is a severe vulnerability.
- External report
- View on VirusTotal