Skillv1.0.3

VirusTotal security

Ccusage Report · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 5:05 AM

Hash: bb2d9ab6a2f1cf66ea237585bf50044dd729a179ee040939e058a3ead733696d
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: ccusage-report Version: 1.0.3 The skill bundle facilitates Claude Code usage reporting but introduces a shell injection vulnerability by instructing the agent to execute commands containing shell substitutions (e.g., `$(date ...)`) via `bunx ccusage` in `SKILL.md`. While the intent appears benign (reporting token costs), the reliance on the `exec` tool with dynamic shell-evaluated strings without explicit sanitization poses a security risk if the agent is manipulated into including additional shell metacharacters.
External report: View on VirusTotal