Back to skill
Skillv1.2.1
VirusTotal security
Session Compact · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 11, 2026, 3:06 PM
- Hash
- efa4e0fe4607e4a3ed5bf0c0e081d595650b9f3d67a2d04bdd3d93bbabf2f6d9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: session-compact-skill Version: 1.2.1 The skill bundle contains a high-risk shell injection vulnerability in 'src/compact/engine.ts'. The 'callLLM' function uses 'execSync' to execute a constructed shell command that includes conversation content. While it attempts to escape double quotes and backslashes, it fails to sanitize other shell metacharacters (e.g., backticks, dollar signs, or pipes), potentially allowing for arbitrary command execution if the agent processes malicious input. Although the extensive documentation and 163 test cases suggest the intent is a legitimate session management tool, the unsafe implementation of CLI integration poses a significant security risk.
- External report
- View on VirusTotal