Back to skill
Skillv0.0.2
VirusTotal security
android build tool · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:03 AM
- Hash
- 9022e212dd4e193a6958baa159f0da16b594ea0e2ddecc18e758d8a33c219037
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: android-build Version: 0.0.2 The `pi_claw.py` script is highly suspicious due to a critical shell injection vulnerability. It uses `os.system(' '.join(args))` where `args` includes unsanitized user input (`sys.argv[1:]`), allowing for arbitrary command execution if a malicious string is passed as an argument. Additionally, the script downloads and executes an external, unverified binary (`pi` or `pi.exe`) from a GitHub release URL (e.g., `https://github.com/noah-smith-max/pi_public/releases/download/r0.0.1/pi.exe`), introducing a significant supply chain risk by running code from an external source without validation. While the `SKILL.md` does not contain malicious prompt injection, the underlying Python script presents severe security flaws.
- External report
- View on VirusTotal