Back to skill
Skillv1.0.0
VirusTotal security
Issuefinder Tool · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:52 AM
- Hash
- f15b4d1aaf3f8b0c1e6aaf24d453701dc581c6c8ae17a4d14dba13691950c0d0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: issuefinder-tool Version: 1.0.0 The skill bundle is classified as suspicious due to two significant vulnerabilities found in `scripts/issuefinder-tool.py`. First, the `extract_archive_with_system_tools` function uses `subprocess.run` to call external archive utilities (`unzip`, `tar`, `7z`, `gunzip`) with user-controlled input (`args.upload`). While `shell=False` is used, a specially crafted archive path could potentially lead to argument injection vulnerabilities in the external tools, allowing for arbitrary command execution (RCE). Second, the `check_and_update_version` function implements an auto-update mechanism that downloads and re-executes the script from a remote server (`https://issuefinder-playground-init-dev.inner.chj.cloud/api/cli/download`). This creates a supply chain vulnerability, as a compromise of the update server could lead to arbitrary code execution on the agent's system.
- External report
- View on VirusTotal