Back to skill
Skillv1.0.10
VirusTotal security
Card Full · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:04 AM
- Hash
- 35a8b25ef366f1eb473274c70642f1ea83ca5ddf5e6c9b0b5f8a5af75d8c3dae
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: card-full Version: 1.0.10 The skill contains a potential shell injection vulnerability in SKILL.md. It instructs the agent to use 'curl' to query the Brave Search API, interpolating the card name directly into a shell command string. While the instructions mandate a 'resolution' step to normalize names, the lack of explicit shell-escaping for the command execution poses a risk if the normalization is bypassed or if the agent interprets the instructions loosely. This represents a high-risk capability (shell execution with external input) that is plausibly needed for the stated purpose but lacks sufficient security guardrails.
- External report
- View on VirusTotal