Back to skill
Skillv1.0.0
VirusTotal security
ucloud-infra · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:19 AM
- Hash
- 6fb377f7535b762a02b29572f268e6eee2029b24f2249755fc1e3b3c901b8987
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ucloud-infra Version: 1.0.0 The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `ucloud.mjs`. The script constructs shell commands by joining unsanitized user-provided arguments (such as passwords and resource names) and executes them via `child_process.exec`, which allows for arbitrary command execution. Additionally, the script logs sensitive information, including plain-text passwords, to local log files. While these represent severe security flaws, they appear to be unintentional vulnerabilities rather than intentional malware, as the tool's behavior aligns with its stated purpose of UCloud resource management.
- External report
- View on VirusTotal