Back to skill
Skillv1.0.1
VirusTotal security
Apify Lead Generation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:51 AM
- Hash
- fd1fffc3a0a8b4f4ff0a36fa535616e481bc0ac32b4dfdfcd36723a34096c625
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: apify-lead-generation Version: 1.0.1 The `SKILL.md` contains `bash` commands that are vulnerable to shell injection if the OpenClaw agent fails to strictly adhere to the explicit input sanitization rules provided in the markdown. Specifically, the `mcpc` command's `actor:="ACTOR_ID"` parameter could be exploited if `ACTOR_ID` is not properly escaped by the agent, potentially leading to arbitrary command execution. While the `SKILL.md` instructs the agent to sanitize inputs, relying solely on markdown instructions for critical security controls is a common vulnerability pattern. The `reference/scripts/run_actor.js` script, however, demonstrates strong internal security, including robust validation for actor IDs, JSON inputs, and output file paths (preventing path traversal), which mitigates risks once execution reaches the Node.js script.
- External report
- View on VirusTotal