Back to skill
Skillv1.0.0
VirusTotal security
OSS Contributor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:48 AM
- Hash
- 7d115fbd82afefb2058fb0c51541b5fe7811895fa41c6b160c8228c3b9b5ff6a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oss-contributor Version: 1.0.0 The skill is designed to automate open-source contributions, but it contains a significant vulnerability. In Phase 5, the sub-agent is instructed to clone arbitrary GitHub repositories and then 'Run tests' within those cloned repositories. This creates a Remote Code Execution (RCE) risk, as a malicious actor could craft a repository with harmful scripts disguised as tests, which the agent would then execute. While the skill's overall intent appears benign, this RCE vector makes it suspicious. Other actions, such as accessing the GH_TOKEN from `~/.openclaw/openclaw.json` and using `curl` for GitHub API calls, are sensitive but align with the skill's stated purpose.
- External report
- View on VirusTotal