Back to skill
Skillv1.0.0
VirusTotal security
Random Thought · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:50 AM
- Hash
- 0fe8004a276fbd314d3f24cd56e0697367351e7a3f1f040a188e80d0bbde06c5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: random-thought Version: 1.0.0 The skill contains shell-to-python injection vulnerabilities in `scripts/corpus-pick.sh` and `scripts/freshness-gate.sh` where workspace paths and configuration values (e.g., `$HISTORY_PATH`, `$ABS_FILE`) are interpolated directly into `python3 -c` command strings without sanitization. While the tool's behavior is aligned with its stated purpose of autonomous workspace reflection and includes a robust list of sensitive file exclusions (e.g., `.env`, `.key`, `.pem`), these implementation flaws could allow for arbitrary code execution if an attacker can influence the workspace environment. The recommended use of `cron` for periodic autonomous operation further elevates the risk profile of these vulnerabilities.
- External report
- View on VirusTotal