Back to skill
Skillv1.0.2
VirusTotal security
Maxun · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:39 AM
- Hash
- 4d2d74d5eb4a6673b1d668612cb93cb2d98ab282cd22901f562ad34daaec8ef0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: maxun Version: 1.0.2 The skill provides a functional integration for the Maxun web scraping platform but contains a code injection vulnerability. In `scripts/maxun.sh`, the `list` command interpolates the `$LIMIT` shell variable directly into a Python script executed via `python3 -c`, allowing for arbitrary Python code execution if the argument is manipulated. While `SKILL.md` instructs the AI not to append arguments to this command, the script itself lacks input sanitization. Furthermore, the setup instructions recommend disabling execution confirmations (`ask: off`), which increases the potential impact of this vulnerability.
- External report
- View on VirusTotal