Back to skill
Skillv1.0.0
VirusTotal security
Nyne Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- ea4b521ccb228eb7a2636a3b81a0c87b7568616666124f4b9ac089c8f69d7b18
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nyne-search Version: 1.0.0 The skill is suspicious due to a shell injection vulnerability in SKILL.md. The `curl` command used for polling results, `curl -s "https://api.nyne.ai/person/search?request_id=$REQUEST_ID"`, directly embeds the `$REQUEST_ID` variable into a double-quoted string. If the Nyne API returns a `request_id` containing shell metacharacters (e.g., `$(command)`), this could lead to arbitrary command execution on the agent's host. This is a critical vulnerability, although it does not demonstrate intentional malice from the skill developer.
- External report
- View on VirusTotal