Back to skill
Skillv1.0.0
VirusTotal security
Service Watchdog · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:36 AM
- Hash
- 2b6603fa0d4f722811b7a9b5f57934de7384f5414e440cc4210ff6f9b1c04011
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: service-watchdog Version: 1.0.0 The `watchdog.sh` script is highly vulnerable to shell injection, allowing for Remote Code Execution (RCE). Values read from the `watchdog.json` configuration file (e.g., `url`, `host`, `port`, `domain`, `method`) are directly interpolated into commands executed via `curl`, `nc`, `ncat`, `dig`, `nslookup`, `host`, and `openssl` without proper sanitization. A critical example is the `check_tcp` function's fallback to `bash -c "echo >/dev/tcp/${host}/${port}"`, where a malicious `host` value in `watchdog.json` could lead to arbitrary command execution. While the skill's stated purpose is benign, these vulnerabilities pose a significant security risk if an attacker can control the `watchdog.json` file.
- External report
- View on VirusTotal