Back to skill
Skillv1.0.0
VirusTotal security
xgorobot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:38 AM
- Hash
- 0558657321b12544a0d62490e538db5d0b023de6157bbf4d6d85b5e4a93bea42
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xgorobot Version: 1.0.0 The skill bundle contains multiple shell injection vulnerabilities due to the unsafe use of `os.system` and `subprocess.run` with string concatenation in `lib/edulib.py` (e.g., `xgoSpeaker`, `xgoAudioRecord`) and `scripts/audio/play_http.py`. It also relies on `sudo` for hardware interactions and sends media data to external AI endpoints (`dashscope.aliyuncs.com`) for processing. While these behaviors are consistent with the stated purpose of controlling an XGO robot dog, the lack of input sanitization when executing system commands poses a significant security risk.
- External report
- View on VirusTotal