Back to skill
Skillv1.1.0
VirusTotal security
Release Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:35 AM
- Hash
- 5c95c523acee48977d92df0315052970b0336adc1080d784a3b63a1a47a0dead
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: release-tracker Version: 1.1.0 The skill is classified as suspicious due to potential command injection vulnerabilities. Specifically, the SKILL.md instructions for fetching release content and changelogs involve executing `gh` and `cat` commands with parameters derived from external sources (user configuration, GitHub API). The `cat /opt/homebrew/lib/node_modules/<package>/CHANGELOG.md` instruction is particularly concerning as the `<package>` variable is not clearly defined and could be susceptible to path traversal or command injection if the OpenClaw agent does not rigorously sanitize inputs before executing shell commands, posing a Remote Code Execution risk. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation, but the presence of these RCE-prone instructions makes the skill suspicious.
- External report
- View on VirusTotal