Back to skill
Skillv1.0.4
VirusTotal security
Linkfuse · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:13 AM
- Hash
- 59b2c83c1c9e1f81cbbab9939addf12a35c843983940636996f4aecc7a604e5c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: linkfuse Version: 1.0.4 The skill is classified as suspicious due to a critical shell injection vulnerability identified in `SKILL.md`. The instruction `node scripts/create-link.js --url "<url>"` passes a user-provided URL directly into a shell command. If the OpenClaw agent does not properly sanitize or escape the `<url>` input before execution, an attacker could inject arbitrary shell commands, leading to Remote Code Execution (RCE). While the `scripts/create-link.js` script itself performs its stated function without malicious intent, and no prompt injection attempts or data exfiltration beyond the stated purpose were found, this vulnerability poses a significant risk.
- External report
- View on VirusTotal