Back to skill
Skillv1.0.0
VirusTotal security
Bocha Search (Momo优化版) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:26 AM
- Hash
- 2d9700d1629371b5f87de598017b310a4b5b730342822f8df10769bdd960b44d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bocha-search-momo Version: 1.0.0 The skill provides a search interface for the Bocha AI API (api.bocha.cn) but contains shell injection vulnerabilities in `scripts/search.sh` and `scripts/setup.sh`. Specifically, user-provided arguments such as the search query and API key are expanded directly within double-quoted strings in `curl` and `cat` commands, allowing for potential arbitrary command execution if the input contains shell metacharacters (e.g., `$(command)`). While the behavior is aligned with the stated purpose, the lack of input sanitization represents a high-risk vulnerability.
- External report
- View on VirusTotal