Back to skill
Skillv1.0.0
VirusTotal security
Kasia · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:55 AM
- Hash
- 2aee5a27ca98844d51a9bfeb83b6f37fed5747261e07ebcd831e18ba18a0281f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kasia Version: 1.0.0 The `scripts/setup.sh` file contains a critical shell injection vulnerability. User-provided arguments such as `--mnemonic`, `--network`, and `--indexer-url` are directly interpolated into a `python3 -c` command without proper sanitization. This allows for arbitrary code execution (RCE) if an attacker can control these arguments, for example, by crafting a malicious mnemonic phrase. While this is a severe vulnerability, the script's stated purpose is configuration, and there is no clear evidence of intentional malicious behavior (e.g., data exfiltration or backdoor installation) within the skill bundle itself, classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal