Back to skill
Skillv1.0.0
VirusTotal security
status-web · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:04 AM
- Hash
- 5f68accdc31a1f5743ade2e8f129b7e4c2e3dec2a77eddad78f0aa25c23a3c2a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: status-web Version: 1.0.0 The `server.js` file uses `child_process.execSync` to execute `openclaw agent` commands with user-provided input from the `/api/chat` endpoint. While there is an attempt to sanitize the user's `message` (`message.replace(/"/g, '\"').replace(/\$/g, '\$')`), this sanitization is insufficient to prevent all potential shell injection vulnerabilities, posing a risk of Remote Code Execution (RCE). Additionally, this 'hidden chat' feature explicitly allows users to perform prompt injection against the AI agent. Although there is no clear evidence of intentional malicious behavior like data exfiltration or backdoors, the presence of a shell injection vulnerability and direct prompt injection vector makes this skill bundle suspicious.
- External report
- View on VirusTotal