Back to skill
Skillv1.0.0
VirusTotal security
web3-data-skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:34 AM
- Hash
- 10a62dd30b6941b21a2c600608cea8e8dcd5b85680c1261a72bfbf2f1183861a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: web3-data Version: 1.0.0 The skill is classified as suspicious due to critical shell injection vulnerabilities in `scripts/chainbase.sh` and prompt injection risks in `SKILL.md`. The `scripts/chainbase.sh` script constructs `curl` commands by directly concatenating unquoted shell variables (`$call_url`, `$call_header`, `$API_KEY`, `$call_body`), making it vulnerable to arbitrary command execution if an attacker can inject shell metacharacters into the endpoint or parameter arguments. Furthermore, `SKILL.md` explicitly instructs the AI agent to construct SQL queries from user input and pass them via `--sql="..."` to this vulnerable script, which also embeds the SQL string into a JSON body without proper escaping, creating a potential SQL injection against the Chainbase API and exacerbating the shell injection risk.
- External report
- View on VirusTotal