Back to skill
Skillv2.3.1
VirusTotal security
Mission Control · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:14 AM
- Hash
- 5bb61c8321ee1e78f8013be1bb4946760a3b3ef20fd478048d2c901b34c07285
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mission-control Version: 2.3.1 The skill bundle is classified as suspicious due to multiple critical vulnerabilities. The `scripts/mc-update.sh` contains a shell injection vulnerability where insufficient input sanitization allows arbitrary command execution via crafted task IDs in `git commit` messages. The `assets/index.html` dashboard is vulnerable to DOM-based XSS through `javascript:` URLs in task descriptions and comments, as the `renderMarkdown` function does not properly sanitize `href` attributes. Furthermore, user-controlled task content (title, description, comments) is used to construct prompts for the AI agent via `assets/transforms/github-mission-control.mjs` (webhook transform) and `assets/index.html` (cron creation), posing a significant prompt injection risk. An additional vulnerability is the open CORS proxy in `scripts/cors-proxy.js`, which could be abused if exposed publicly.
- External report
- View on VirusTotal