Back to skill
Skillv0.0.0-pr-check
VirusTotal security
Sm Saver · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:05 AM
- Hash
- 73244cd73790b31b2af2f25f5ad6ec5aafe20084b6b13d5108a6dc7dd677ee8d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sm-saver Version: 0.0.0-pr-check The skill bundle contains a significant command injection vulnerability in SKILL.md. It instructs the agent to execute shell commands and a Python one-liner where user-provided URLs are directly interpolated into the execution string (e.g., `summarize "<url>"` and `urllib.request.Request('<url>', ...)`). While the stated purpose of saving social media resources is plausible, the lack of input sanitization in these `exec` calls allows a crafted URL to execute arbitrary code on the host system. No evidence of intentional malice or data exfiltration was found, but the implementation is highly insecure.
- External report
- View on VirusTotal