Search recent repo activities
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nom-feed Version: 1.0.0 The skill is classified as suspicious due to a high-risk shell injection vulnerability. The `SKILL.md` file instructs the AI agent to construct `curl` commands using user-provided arguments (e.g., `--search TEXT`, `org/repo` path components) and explicitly allows `Bash(curl:*)`. If the agent does not properly sanitize or escape these user inputs before embedding them into the `curl` command, an attacker could inject arbitrary shell commands, leading to remote code execution. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Repo names, organization names, date filters, and search text you provide may be included in requests to beta.nomit.dev.
The skill authorizes curl network requests to fetch Nom feed data. This is expected for the stated purpose, but users should recognize that query arguments are sent to an external service.
allowed-tools: ["Bash(curl:*)"] ... Base URL: `https://beta.nomit.dev` ... Use curl to fetch the response.
Use it for public GitHub activity searches and avoid putting private or sensitive information into search terms.