Back to skill
Skillv4.0.0
VirusTotal security
Vikunja-complete · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:58 AM
- Hash
- 93c79de7f02e365f0aab114c96be4b216de6a4855cfc7eba46aa5ea5f9647bbb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vikunja-complete Version: 4.0.0 The skill bundle provides a highly capable CLI for Vikunja management that includes several high-risk features such as API token creation, webhook management, and arbitrary file uploads/downloads (vikunja.sh). While the main script follows security best practices by using jq for JSON construction, the test-smoke.sh script contains a JSON injection vulnerability in the ensure_project function where the project title is interpolated directly into a JSON string. These powerful capabilities, combined with the lack of path restrictions on file operations, create a significant attack surface for data exfiltration or persistence if the AI agent is manipulated via prompt injection.
- External report
- View on VirusTotal