Back to skill
Skillv1.1.0
VirusTotal security
Execution Verifier · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:57 AM
- Hash
- b5b11ca44316ff7d7890031233a65366fe50ca8559d63bb9161c4d0a1e5e518e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: execution-verifier Version: 1.1.0 The `scripts/verify_execute_verify.py` script is vulnerable to shell injection (RCE) because it uses `subprocess.run(cmd, shell=True)` where `cmd` is directly derived from command-line arguments (`--verify-cmd`, `--execute-cmd`) without proper sanitization. While the `SKILL.md` currently provides specific, seemingly benign `openclaw` commands, this design flaw allows for arbitrary command execution if an attacker can control these arguments, for instance, via prompt injection against the agent invoking the skill. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoor installation in the provided files, but the critical vulnerability makes it suspicious.
- External report
- View on VirusTotal