Back to skill
Skillv1.0.1
VirusTotal security
letheClaw · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:11 AM
- Hash
- a6f2581d9a06ea3dff19ffa8ec5eb949faad9440a7fa6d77dba880e36d7dba38
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: letheclaw Version: 1.0.1 The SKILL.md instructions for the AI agent contain a shell injection vulnerability. User-controlled inputs such as `<query>`, `tags`, and `{memory_id}` are directly interpolated into `curl` commands without apparent sanitization. This could allow an attacker to inject arbitrary shell commands (e.g., `q=foo%26%20rm%20-rf%20/`) if the agent executes these commands without proper escaping, leading to potential remote code execution on the host system. This is a critical vulnerability, but it is classified as 'suspicious' rather than 'malicious' as there is no evidence of intentional harmful behavior by the skill author, only an insecure implementation of API interaction.
- External report
- View on VirusTotal