Back to skill
Skillv1.1.0
VirusTotal security
Apple Notes (AppleScript) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:43 AM
- Hash
- fdb8f63dbc8b67f3608779834854412571594ccffacf8373f530924fdce93dfb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: apple-notes-applescript Version: 1.1.0 The skill bundle contains a critical shell injection vulnerability in `scripts/notes-search.sh`. When the `--spotlight` flag is used, the user-provided `$QUERY` is directly interpolated into an `mdfind` command without proper sanitization, allowing for arbitrary command execution. While other scripts demonstrate good input sanitization for AppleScript, this specific flaw poses a significant risk. There is no evidence of intentional malicious behavior such as data exfiltration to external endpoints or persistence mechanisms.
- External report
- View on VirusTotal