Back to skill
Skillv1.1.0
VirusTotal security
CFGPU API Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 27, 2026, 4:46 PM
- Hash
- 5632710075d43a84050ed8407d7ad1a904b27d4dda711bb4359554d309bc8bbf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cfgpu-api Version: 1.1.0 The skill provides legitimate tools for managing CFGPU cloud instances but contains a critical shell injection vulnerability in 'scripts/cfgpu-helper.sh'. The 'api_request' function uses 'eval' to execute a curl command constructed with unsanitized user-controlled variables (such as instance names, image IDs, or durations), which allows for arbitrary command execution if the agent is prompted to use malicious inputs. While the scripts follow standard patterns for CLI tools (e.g., storing tokens in '~/.cfgpu/token' and modifying shell profiles in 'scripts/setup-env.sh'), the use of 'eval' on raw strings is a high-risk security flaw.
- External report
- View on VirusTotal