Back to skill
Skillv1.0.0
VirusTotal security
Help.Center Article Management · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:53 AM
- Hash
- 467db598565925be82349043ea218eaae6ffb1c2627b953bf19e81a656c2945b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: helpcenter Version: 1.0.0 The SKILL.md defines numerous `curl` commands that use placeholders for user-provided input (e.g., `SEARCH_TERM`, `ARTICLE_ID`, `title`, `html`, `category-slug`, `/path/to/image.jpg`). If the AI agent directly substitutes unsanitized user input into these shell commands, it creates a critical shell injection vulnerability (RCE). Furthermore, the image upload functionality (`image=@/path/to/image.jpg`) allows the agent to read and upload local files, which could be leveraged for data exfiltration if the agent is prompted to upload sensitive files. While the skill's stated purpose is legitimate, these inherent execution patterns expose the system to significant risks if the agent's input sanitization is insufficient.
- External report
- View on VirusTotal