Back to skill
Skillv1.9.72
VirusTotal security
Wip License Hook · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:51 AM
- Hash
- 0441b50bf0a0354e23e4b2bcaa00db47a2551e454dfb7fdf2a3527d2569561a6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wip-license-hook Version: 1.9.72 The tool provides license compliance scanning but contains multiple shell injection vulnerabilities in 'src/core/scanner.ts' (and the corresponding 'dist' files). It uses 'execSync' to execute system commands like 'npm view', 'pip show', and 'cargo info' using dependency names parsed directly from project manifest files without any sanitization. While this behavior is consistent with the tool's stated purpose, the lack of input validation allows for arbitrary code execution if the tool is run against a repository containing a maliciously crafted 'package.json' or 'requirements.txt'. No evidence of intentional malice, data exfiltration, or unauthorized persistence was found.
- External report
- View on VirusTotal