Back to skill
Skillv1.0.0
VirusTotal security
calender-memo · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:25 AM
- Hash
- 223160989f955cce45bd119ee3c5312d7fdac7819b48db03f40a6c6117caf1ff
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: calender-memo Version: 1.0.0 The skill contains a critical command injection vulnerability in `reminder.js` due to the insecure use of `child_process.exec`. User-provided event titles are incorporated into a shell command to send notifications via the `openclaw` CLI; while double quotes are escaped, other shell metacharacters (e.g., backticks or `$()`) are not, allowing for arbitrary code execution. Although the code appears to fulfill its stated purpose as a calendar tool without clear evidence of intentional malice, the implementation of the notification system is highly vulnerable.
- External report
- View on VirusTotal