Back to skill
Skillv0.1.2
VirusTotal security
Intrusive Thoughts · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:57 AM
- Hash
- 90a2b4a279a3ee60abc19d817f50f63f7b8d821ccd68c97279c99de9a878c085
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: intrusive-thoughts Version: 0.1.2 The skill is classified as suspicious due to a critical remote code execution (RCE) vulnerability found in `log_result.sh`. The script uses a Python heredoc where the shell variable `SUMMARY` is directly interpolated into a Python string literal without proper escaping. An attacker or a compromised agent could craft a malicious `SUMMARY` string (e.g., containing `'''; import os; os.system('malicious_command'); '''`) to execute arbitrary Python code. Additionally, `dashboard.py` runs an unauthenticated HTTP server on `0.0.0.0:3117`, exposing internal data, and the `config.json`'s `system.data_dir` setting, while documented, presents a significant vulnerability if misconfigured by the user to a sensitive system path.
- External report
- View on VirusTotal