Back to skill
Skillv0.1.6
VirusTotal security
Openclaw Skill Clawban · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:37 AM
- Hash
- 2fd4aaa26e38a6166abdc2e7282b11c0fe7e8199197b9bbf26b8abfcd5459316
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-skill-clawban Version: 0.1.6 The skill is classified as suspicious due to multiple command injection vulnerabilities across its adapters. User-controlled input (e.g., work item titles, bodies, labels, IDs, project IDs, state IDs) is passed directly as arguments to external CLIs (gh, plane, planka-cli, and the scripts/linear_json.sh wrapper) without explicit sanitization. While `execa` is used to prevent shell injection, it does not prevent argument injection into the target CLI's own parsing logic. This vulnerability is present in `src/adapters/github.ts`, `src/adapters/linear.ts`, `src/adapters/plane.ts`, `src/adapters/planka.ts`, and potentially in `src/cli.ts` when installing the OpenClaw cron job. The skill's transparently declared privilege inheritance model (executing with the full privileges of the underlying CLIs) amplifies the impact of these vulnerabilities.
- External report
- View on VirusTotal