Back to skill
Skillv2.0.0
VirusTotal security
Doc Orchestrator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:57 AM
- Hash
- 74ddff085867aea220e9f397f91ffede4a44a5d113b9674c6e2f8611fdd76639
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: doc-orchestrator Version: 2.0.0 The skill bundle is designed for a legitimate document orchestration task. However, the `SKILL.md` file contains a bash snippet using `sed` within a `for` loop (`for f in ch2.md ch3.md ... ; do sed ... "$f" >> final.md; done`). While the intent of this command is benign (stripping duplicate titles), the dynamic construction of filenames in the loop (`ch2.md ch3.md ...`) presents a potential shell injection vulnerability if these filenames are derived from untrusted input without proper sanitization. This is a risky capability that could lead to arbitrary command execution, classifying the skill as suspicious rather than benign, despite the lack of clear malicious intent for data exfiltration or persistence.
- External report
- View on VirusTotal