Back to skill
Skillv1.0.0
VirusTotal security
marriott · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:45 AM
- Hash
- 0a3f739b675ab478632e6dbc9a706fd2a95b5333654ec5851423d2c31158f510
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: marriott Version: 1.0.0 The skill is suspicious due to a critical shell injection vulnerability identified in `SKILL.md`. User-provided `$ARGUMENTS` are directly passed to `bash` commands (e.g., `node "$HOME/.claude/skills/marriott/skill-search.js" $ARGUMENTS`), which could allow an attacker to execute arbitrary commands on the host machine if the OpenClaw agent does not perform robust input sanitization. While the core functionality of automating Marriott bookings via Playwright appears legitimate, this vulnerability poses a significant risk of unauthorized command execution.
- External report
- View on VirusTotal