Back to skill
Skillv1.0.2
VirusTotal security
Skill Earnings Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:17 AM
- Hash
- 8c4fb153c5b35ef361f918fc7af9a72675c3aeb22e27631255237b701043beb5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-earnings-tracker Version: 1.0.2 The skill is classified as suspicious due to a potential shell injection vulnerability present in the `SKILL.md` automation example. The cron job instruction `$(clawhub explore | grep my-skill | wc -l)` uses shell command substitution and piping. If the `my-skill` variable (or any part of the `clawhub explore` output) were controlled by an attacker and contained shell metacharacters, it could lead to arbitrary command execution when the cron job is set up and run. While the Python script itself uses `subprocess.run` with a list of arguments (a safer method), the documentation provides a pattern that is vulnerable to injection if not properly sanitized by the user or the agent interpreting the instructions.
- External report
- View on VirusTotal