Back to skill
Skillv0.1.0
VirusTotal security
Mvg · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:07 AM
- Hash
- 60e0c6bbede8f651bed78505a267541a964428dfff9d48bdd50ce42789d717b2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mvg-cli Version: 0.1.0 The skill is classified as suspicious due to the use of `subprocess.run` in `mvg_cli.py` to execute a dynamically generated JavaScript file via `node`. While the JavaScript code and its arguments are currently hardcoded and serve a legitimate purpose (fetching S-Bahn live data from `api.geops.io`), this pattern introduces a significant Remote Code Execution (RCE) risk. If an attacker could modify the hardcoded JavaScript or its execution parameters (e.g., via a supply chain attack on the skill bundle), it would lead to arbitrary code execution. This is a powerful and risky capability, even if not explicitly malicious in its current, hardcoded form. Additionally, the `README.md` and `mvg_cli.py` have inconsistent dependency information regarding the `requests` library and `node`/`ws` module, though this is a minor issue.
- External report
- View on VirusTotal