Back to skill
Skillv1.0.0
VirusTotal security
Casino Tournament · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:29 AM
- Hash
- 9750348ede43c85f64d63635104ef9b643e09bcd1e15a43b7c1d216fe1f328b3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: rollhub-tournament Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/tournament.sh`. The `register` command directly inserts user-provided input for the 'Agent name' (`$NAME`) into a JSON payload for a `curl` command without proper sanitization. This allows an attacker to inject shell metacharacters (e.g., `$(command)`) into the `NAME` variable, leading to arbitrary command execution on the host system where the agent is running. Additionally, the script and `SKILL.md` communicate with an external domain, `agent.rollhub.com`, which is central to its stated purpose, but the RCE vulnerability is the primary concern.
- External report
- View on VirusTotal