Back to skill
Skillv0.2.0
VirusTotal security
NutriGx Advisor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:43 AM
- Hash
- df39163d369b2574b739178f33c74f1b002adb0240a624adca230b101ab7cf70
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nutrigx-advisor Version: 0.2.0 The skill is classified as suspicious due to a shell injection vulnerability in the `repro_bundle.py` file. When generating the `commands.sh` script for reproducibility, command-line arguments are concatenated into a shell string without proper quoting or sanitization. If a user-provided argument (e.g., `--output`) contains shell metacharacters, executing the generated `commands.sh` could lead to arbitrary command execution. While this is a vulnerability in an output artifact intended for manual user execution, and not directly exploited by the OpenClaw agent, it represents a significant security flaw. Additionally, `parse_input.py` and `generate_report.py` handle user-provided file paths without explicit path traversal sanitization, posing a potential local file read/write vulnerability.
- External report
- View on VirusTotal