Back to skill
Skillv1.0.0
VirusTotal security
RankForge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:57 AM
- Hash
- ae262ade265c842c776fa1bc5730e8d69830491bb0a2c9a318e17cee885b502a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: rankforge Version: 1.0.0 The skill bundle, intended for SEO analysis, contains a shell injection vulnerability in `scripts/forge-client.sh`. The `analyze` action passes the user-provided JSON payload (`$1`) directly to `curl -d "$1"` without proper sanitization or quoting, allowing for arbitrary command execution if `$1` contains shell metacharacters. While this is a critical vulnerability (RCE risk), there is no clear evidence of intentional malicious behavior such as data exfiltration or persistence, making it suspicious rather than malicious.
- External report
- View on VirusTotal