Back to skill
Skillv2.4.0
VirusTotal security
Oktk ยท External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:51 AM
- Hash
- 660fa9c4b8a347e757c942dae1f19a09b21ea4358f2648d1e24bbe817c992ca8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oktk Version: 2.4.0 The skill bundle contains a critical shell injection vulnerability in `scripts/oktk.js`. The `oktk` script directly executes user-provided command strings via `child_process.execSync` without proper sanitization, allowing arbitrary command execution if a malicious input is provided to `oktk`. The `scripts/oktk-aliases.sh` also constructs commands in a way that can trigger this vulnerability. While this poses a severe Remote Code Execution risk, there is no evidence of intentional malicious behavior such as data exfiltration or persistence mechanisms; it appears to be an unintentional flaw in handling command arguments, classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal