Back to skill
Skillv0.1.0
VirusTotal security
SkillScout · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:44 AM
- Hash
- 7a506954287dfc72693a9b9e6e8588fa3d961eb612e10c2070b2cc2d674a4743
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skillscout Version: 0.1.0 The SkillScout bundle, despite its stated goal of enhancing security, contains several critical vulnerabilities. The `SKILL.md` file includes a `curl | python3 -c` command that is vulnerable to remote code execution if the remote JSON file is compromised or if the `QUERY` argument is maliciously crafted. Furthermore, the `scripts/fetch-skill.sh` script is susceptible to shell injection and path traversal via unsanitized user input when constructing `gh api` commands and `curl` URLs. Both `mcp-server/index.js` and `mcp/server.js` generate `npx clawhub@latest install` commands with unsanitized skill names, creating a prompt injection vector against any agent that executes their output. These flaws could lead to arbitrary code execution on the host system, classifying the bundle as suspicious due to severe vulnerabilities, not intentional malice.
- External report
- View on VirusTotal