Back to skill
Skillv0.1.0
VirusTotal security
Repomix Explorer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:48 AM
- Hash
- 77f99ac60f7caa4ddcc6927e6d84ce52d38d496159e66ed4b4d22b4e35ce567b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: repomix-explorer Version: 0.1.0 The skill instructs the AI agent to execute shell commands (`npx repomix@latest`, `grep`) with parameters directly derived from user input (e.g., repository names, local paths, output paths, include/ignore patterns). The `SKILL.md` instructions do not include explicit directives for input sanitization, which creates a significant shell injection vulnerability. A malicious user could craft inputs containing shell metacharacters to execute arbitrary commands or write files to unintended locations. While the skill's stated purpose is benign and there is no evidence of intentional malicious behavior (such as data exfiltration or persistence), the lack of input sanitization for shell commands makes it suspicious.
- External report
- View on VirusTotal