Back to skill
Skillv1.0.0
VirusTotal security
App Store Changelog · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 17, 2026, 2:56 AM
- Hash
- 5bf8920a87f0cd0bda6948f4481ac45437decaf314de88e014baa73aa27affc4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qui-app-store-changelog Version: 1.0.0 The skill is designed to generate App Store release notes from git history, but it contains a shell injection vulnerability in `scripts/collect_release_changes.sh`. The script passes the `since_ref` and `until_ref` arguments directly into a shell command without sanitization or quoting, which could allow arbitrary command execution if a malicious git tag or reference name is used. While the behavior aligns with the stated purpose and lacks evidence of intentional malice, the lack of input validation is a high-risk flaw.
- External report
- View on VirusTotal