Back to skill
Skillv1.0.0
VirusTotal security
WhatsApp Forward · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:19 AM
- Hash
- 697ad4cc12c3c71be1c6418647257f65db2e523c191a4912117be895ae50e6b1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: whatsapp-forward Version: 1.0.0 The skill is classified as suspicious due to a potential shell injection vulnerability. The `SKILL.md` file instructs the OpenClaw agent to execute `scripts/forward.js` with user-controlled arguments (e.g., contact names, phone numbers, JSON strings, URLs). If the agent does not properly sanitize or escape these arguments before constructing the command string for `exec`, an attacker could inject arbitrary shell commands. The `scripts/forward.js` file itself does not contain malicious logic, but its direct use of `process.argv` for arguments creates a common vector for shell injection if the calling environment (the OpenClaw agent) is not robustly secured against such input.
- External report
- View on VirusTotal