Back to skill
Skillv1.9.72
VirusTotal security
Wip Readme Format · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:51 AM
- Hash
- 76ca248c0306ff5f4acc1b49615fe1157eb4a66d424f30d2ea5f164e6d75b03b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wip-readme-format Version: 1.9.72 The skill bundle contains a shell injection vulnerability in `format.mjs` within the `--deploy` command logic. The script uses `execSync` to run git commands on filenames retrieved directly from the filesystem via `readdirSync` without sanitization, which could allow arbitrary command execution if a crafted filename (e.g., containing shell metacharacters) is present in the repository. While the tool's stated purpose of reformatting README files is consistent with its logic and the 'Teach Your AI' prompt instructions are standard for agent-native onboarding, this vulnerability represents a significant security flaw.
- External report
- View on VirusTotal