Back to skill
Skillv1.0.1
VirusTotal security
uf2.net URL Shortener · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:32 AM
- Hash
- 8abd2eef2673b3c8e1e838f61f679bc4bef10253f41eb3ab524cbbc40104cc3c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: uf2-net Version: 1.0.1 The skill is classified as suspicious due to critical command injection vulnerabilities found in `scripts/uf2.sh`. The `cmd_create` function directly interpolates user-provided arguments (`url`, `slug`, `title`) into a JSON string without proper shell escaping, which allows for arbitrary command execution via `$(command)` injection. Additionally, `cmd_list`, `cmd_get`, and `cmd_delete` are vulnerable to URL parameter and path injection due to direct interpolation of user input into `curl` arguments. These are significant vulnerabilities, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoors) by the skill itself, only flaws that allow an attacker to exploit the agent running the script.
- External report
- View on VirusTotal