Back to skill
Skillv1.0.0
VirusTotal security
Sovereign git-commit-analyzer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:20 AM
- Hash
- 16330a8498315d6b7fd564e1075c6a6c980c21faf436b8de0ea5148a53d4a233
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sovereign-git-commit-analyzer Version: 1.0.0 The skill's stated purpose of analyzing git commit history is benign. However, the `scripts/analyze.sh` script is vulnerable to shell injection. User-controlled inputs such as `--branch`, `--author`, `--since`, `--until`, and `--days` are directly interpolated into `git log` commands without proper sanitization or quoting. This allows for arbitrary command execution if a malicious string containing shell metacharacters is provided as an argument, posing a significant remote code execution risk. The `SKILL.md` does not contain any prompt injection attempts.
- External report
- View on VirusTotal