Back to skill
Skillv1.0.0
VirusTotal security
Workspace Standard · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:13 AM
- Hash
- 475a85c3aec4ff4f1b8fbab0336b9a7cdf7a4fe262191c5fd813e5ea4cb44b60
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: workspace-standard Version: 1.0.0 The skill bundle contains shell injection vulnerabilities in `scripts/workspace-audit.sh` and `scripts/workspace-init.sh`. In `workspace-init.sh`, command-line arguments like `--project NAME` and `--path DIR` are directly used in `mkdir -p` and `echo` commands without sanitization, allowing arbitrary command execution if `NAME` or `DIR` contain shell metacharacters. Similarly, `workspace-audit.sh` uses values extracted from `.workspace-standard.yml` (e.g., `PROJ_SUBDIRS`) and markdown front-matter (e.g., `updated` date) directly in shell commands (`for` loops, `date -d`), creating potential RCE vectors if these inputs are controlled by an attacker. While the skill's stated purpose is benign workspace management, these vulnerabilities could be exploited to execute arbitrary commands on the host system.
- External report
- View on VirusTotal