Back to skill
Skillv1.1.0
VirusTotal security
ClawHub技能探索工具 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:12 AM
- Hash
- 0fd6bde54f64809123d04dd00230fa346dcbd46ce69aac35218c850f37466a27
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawhub-skill-explorer Version: 1.1.0 The skill bundle is classified as suspicious due to two critical vulnerabilities. First, `scripts/clawhub_skill_explorer.py` uses `os.popen` with unsanitized user input (the `slug` variable in `clawhub inspect` and `clawhub star` commands), creating a shell injection vulnerability that could lead to arbitrary code execution. Second, `scripts/optimization_script.py` contains a hardcoded ClawHub API token (`clh_bbGajvH2n5moZ28O8z9n6SF57meUTQ6xGuiYtQ5UX1I`), which is a severe security flaw making the token vulnerable to theft and unauthorized use. While the skill's stated purpose of self-optimization and publishing is not malicious, these vulnerabilities pose significant risks.
- External report
- View on VirusTotal