Back to skill
Skillv1.0.1
VirusTotal security
Notice Monitor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 7:23 AM
- Hash
- 12af51e56ad64ce13d9980ea706f1480089aa1a4d13598e54ccdf6eb6560075e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: notice-monitor Version: 1.0.1 The notice-monitor skill contains a critical command injection vulnerability in src/monitor.js. The Notifier.send function uses child_process.execSync to call the openclaw CLI, passing a message string constructed from notice titles scraped from external websites. While the code attempts to escape double quotes, it fails to sanitize other shell metacharacters like backticks (`) or shell expansions ($()), allowing a malicious website to potentially achieve Remote Code Execution (RCE) on the agent's host. This is classified as suspicious rather than malicious because it appears to be a severe implementation flaw rather than an intentional backdoor.
- External report
- View on VirusTotal