Back to skill
Skillv1.1.0
VirusTotal security
Signal Pipeline · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:26 AM
- Hash
- cacdb9adac1e66cb741f3bffc86e781198c312c707e26810c9de8fe0655aa255
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: signal-pipeline Version: 1.1.0 The skill is classified as suspicious primarily due to a shell injection vulnerability in `newsletter_monitor.py`. This file uses `subprocess.run(shell=True)` with an f-string to construct a command for the `gog` CLI, which could allow arbitrary command execution if the `query` parameter were to be influenced by untrusted input. Although the current `NEWSLETTERS` list contains hardcoded queries, the use of `shell=True` with string interpolation is a significant security flaw. Additionally, `daily_signals.py` contains hardcoded paths like `/Users/jarvis/.openclaw/workspace/memory/daily_signals/` for saving and loading data, which is a vulnerability that could lead to errors or unintended file operations on different systems or user configurations.
- External report
- View on VirusTotal