Back to skill
Skillv0.1.0
VirusTotal security
momo · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:11 AM
- Hash
- 600045a92fd2bb7435757fd8ad8529880ae12527eabf241ac6a2a4b81489855f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: momo Version: 0.1.0 The skill requests `exec` permission in `claw.json` and `SKILL.md`, which is a high-risk capability. The `SKILL.md` demonstrates passing user-controlled arguments (e.g., project names, task descriptions) directly to the `./scripts/timesheet.sh` script. While the provided `timesheet.sh` script is incomplete and does not currently process these arguments, this design pattern represents a significant shell injection vulnerability risk if the script were fully implemented without robust input sanitization, potentially leading to arbitrary code execution.
- External report
- View on VirusTotal