Back to skill
Skillv0.0.1
VirusTotal security
Native Run · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:53 AM
- Hash
- 882404d4c2fb9ffc0badc8f2ab12f738a30a47dc7a43698e25507beac5ffc759
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: native-run Version: 0.0.1 This skill is highly suspicious due to a critical shell injection vulnerability. The `native_run.py` script executes user-provided commands directly via `subprocess.check_output` with `shell=True`, allowing arbitrary command execution on the host machine. The `native_run_skill.js` passes unsanitized user input from the chat message directly to this vulnerable endpoint. While the skill explicitly states its purpose is to run native commands, the implementation introduces a severe Remote Code Execution (RCE) risk without clear malicious intent like data exfiltration or persistence, thus classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal