Back to skill
Skillv2.0.4
VirusTotal security
Skill Dashboard · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:35 AM
- Hash
- b7c095f150c9176abb5f2b62a4419ad935aade83ca964eba5cf840aee3447d80
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-dashboard Version: 2.0.4 The skill bundle contains a critical shell injection vulnerability (Remote Code Execution risk) in `dashboard.js`, `commands/uninstall.js`, and `commands/update.js`. User-provided skill names, parsed by `pagination.js`, are directly interpolated into `child_process.exec` calls (e.g., `clawhub update ${skillSlug}` or `clawhub uninstall ${skillSlug}`) without proper sanitization. This allows an attacker to inject arbitrary shell commands by crafting a malicious skill name. While there is no evidence of intentional malicious behavior (e.g., data exfiltration, persistence), this severe vulnerability makes the skill suspicious.
- External report
- View on VirusTotal