Back to skill
Skillv1.0.2
VirusTotal security
tenk-connect · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:14 AM
- Hash
- 5434e22f2d855ed7e7ad208f7bbfe4f92ee6850119b0dcb75243b16d91f91b78
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tenk-connect Version: 1.0.2 The skill bundle contains a critical Python code injection vulnerability in `scripts/tenk.sh`. User-controlled input (`skill_query`) is directly interpolated into a Python string within `python3 -c` calls in the `cmd_log` function, allowing for arbitrary Python code execution and potential shell injection (RCE). While this is a severe flaw, there is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence mechanisms, or obfuscation. All network calls are directed to the legitimate `tenk.oventlabs.com` domain, and token handling appears standard. The issue is a lack of input sanitization, classifying it as a vulnerability rather than intentional malware.
- External report
- View on VirusTotal