Back to skill
Skillv1.0.1
VirusTotal security
Ostrom Energy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 11:41 AM
- Hash
- 26c485713bde39db8c1584ad1ee2619f2d094d109bb2b8b9506cf820a9ad064e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ostrom-energy Version: 1.0.1 The skill provides a utility for tracking Ostrom energy prices but contains a high-risk shell execution pattern in `ostrom_energy.py`. The `control` command uses `subprocess.run(shell=True)` to execute arbitrary strings provided via the `--on-command` and `--off-command` arguments. While documented as a feature for home automation (e.g., Home Assistant CLI), this creates a direct path for shell injection if the AI agent is manipulated into executing malicious payloads. The skill also installs a local wrapper in `~/.local/bin` via `install-local-command.sh`, which is standard for CLI tools but increases the persistence footprint.
- External report
- View on VirusTotal