Back to skill
Skillv1.5.0
VirusTotal security
qwenspeak · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:54 AM
- Hash
- bdbb5b32975031aa481aeacdcab07174cc51814bf257dac00fac8b240ec870b2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qwenspeak Version: 1.5.0 The `scripts/qwenspeak.sh` file contains a critical shell injection vulnerability (Remote Code Execution). It uses `exec ssh ... "$*"`, which directly passes all arguments from the local shell to the remote SSH server for execution without proper sanitization, allowing arbitrary commands to be run on the remote host as the `tts` user. This flaw, combined with the file manipulation capabilities described in `SKILL.md` (e.g., `put`, `get`, `remove-file`, `search-files`), could be exploited by a malicious prompt or compromised agent to exfiltrate data, install backdoors, or perform other unauthorized actions on the remote server.
- External report
- View on VirusTotal