Back to skill
Skillv0.1.0
VirusTotal security
LLMs.txt Generator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:42 AM
- Hash
- 17296aa22914574f6bac26c0d6fbd8cbd25f735a9eedf1dd95073be1151b6f9a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: llms-txt-generator Version: 0.1.0 The skill is classified as suspicious due to a critical shell injection vulnerability present in the `SKILL.md` file. The instructions for the AI agent directly embed user-provided URLs (`{url}`, `{extra_url1}`, `{extra_urls}`) into `bash` commands without apparent sanitization or quoting. This allows a malicious user to inject arbitrary shell commands (e.g., `example.com; rm -rf /`) that would be executed on the host system when the agent runs `scripts/crawl.py`. The `crawl.py` script itself appears benign, performing web crawling and data extraction as intended, but the method of invoking it from `SKILL.md` creates a severe remote code execution risk.
- External report
- View on VirusTotal