Back to skill
Skillv1.0.3
VirusTotal security
Clawtar · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:55 AM
- Hash
- 51f6f4192c85c1c9690c43e8c62d07bb3cd2e75125d9c68942e67a721951cac3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawtar Version: 1.0.3 The skill is classified as suspicious due to a potential shell injection vulnerability in `SKILL.md`. The instruction `cocod x-cashu handle "<x-cashu>"` passes a value derived from an external HTTP response header directly to a shell command. If the `<x-cashu>` header from `clawtar.cashutools.dev` is crafted maliciously, it could lead to arbitrary command execution on the agent's system. While the skill includes explicit safety instructions for the agent to ask for human permission before spending funds or installing tools, this does not negate the underlying RCE vulnerability.
- External report
- View on VirusTotal