Back to skill
Skillv1.0.0
VirusTotal security
Project- & Time-Capsules · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:38 AM
- Hash
- 562c0dd477c6f0cdb6cec1f84500f6cb1d2b514353f61f5e6f8fee6a2d8b1a9e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kapsel Version: 1.0.0 The script `scripts/kapsel.py` contains a critical shell injection vulnerability because it uses `subprocess.run(shell=True)` with unsanitized inputs in the `run()` function. Commands are constructed using f-strings that incorporate user-provided arguments like `name` and `filepath` (e.g., in `cmd_load` and `cmd_save`), allowing an attacker to execute arbitrary shell commands by providing a malicious project name containing shell metacharacters. While the tool's stated purpose of archiving project data via `rclone` appears legitimate, the lack of input validation poses a significant security risk.
- External report
- View on VirusTotal