Back to skill
Skillv1.0.1
VirusTotal security
OpenD CLI for MooMoo · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:41 AM
- Hash
- 8d81990b4b8b89c908a1196b0a98e44a63d7b549d31b3223f08ecea379d05a1d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: opend Version: 1.0.1 The skill contains a critical Remote Code Execution (RCE) vulnerability in `opend_core.py`. The `load_sdk()` function allows the `OPEND_SDK_PATH` environment variable to inject arbitrary paths into `sys.path`, enabling the loading and execution of untrusted Python modules if an attacker can control this variable. While `SKILL.md` and `README.md` warn users to only point this at trusted code, the underlying mechanism presents a significant security risk. Additionally, the skill supports legacy credential methods (`env`, `config`, `keyring`) that bypass OpenClaw's preferred secret management, though these are clearly documented as less secure compatibility paths. There is no evidence of intentional malicious behavior, but the RCE vulnerability makes it suspicious.
- External report
- View on VirusTotal