Back to skill
Skillv1.0.1
VirusTotal security
Cogmate Client · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:17 AM
- Hash
- 5628f566766a3a1c6733d10cf08f8b46604924b3aaac3bc6771bedf19a626218
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cogmate-client Version: 1.0.1 The skill bundle contains shell injection vulnerabilities in 'scripts/ask.sh' and 'scripts/search.sh'. Specifically, user-provided inputs such as the question or search term are expanded within double-quoted strings in curl commands (e.g., "${QUESTION}"), which allows for command execution via subshell expansion (e.g., $(whoami)) on the host running the agent. While these appear to be unintentional coding flaws rather than intentional malware, they pose a significant security risk if the agent processes untrusted input.
- External report
- View on VirusTotal