Back to skill
Skillv0.1.0
VirusTotal security
Pharmgx Reporter · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:34 AM
- Hash
- 49fd7a374775dd71eb4e5d1dfcd2a5294e8305f0d990b6bd6972f16814e9830d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawbio-pharmgx-reporter Version: 0.1.0 The skill is classified as suspicious due to a lack of input sanitization in `pharmgx_reporter.py`. The script embeds the user-provided input filename directly into a shell command string within the generated `report.md` file (in the 'Reproducibility' section). If a malicious filename (e.g., `'; rm -rf /'`) is provided, and the generated command from the report is subsequently executed by a shell, it could lead to arbitrary command execution (shell injection). This is a vulnerability, not intentional malice, aligning with the 'suspicious' classification criteria.
- External report
- View on VirusTotal