Back to skill
Skillv1.0.0
VirusTotal security
DocStream · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:11 AM
- Hash
- 8c32fd60ff52b5d749817c4379b60dc26cce50458b742d5f77d3ab1bb33b31bd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: docstream Version: 1.0.0 The `scripts/forge-client.sh` file contains a shell injection vulnerability. The script directly inserts unsanitized user input (`$1`) into the `curl -d` option for the 'process' action, allowing for potential arbitrary command execution or data exfiltration if a malicious payload is provided as the argument. While the skill involves external network communication to `anton.vosscg.com` for API key signup (sending email) and document processing, which aligns with its stated purpose, the input sanitization flaw poses a significant security risk, classifying it as suspicious rather than benign or malicious.
- External report
- View on VirusTotal