Back to skill
Skillv1.0.0
VirusTotal security
Agency HQ · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:33 AM
- Hash
- 28390fdea90215179f655554dac32bf59a5d3ec1d724649bea6dccd22cb0d552
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agency-hq Version: 1.0.0 The skill bundle implements a monitoring dashboard that uses `execSync` to run shell commands for system statistics and process checking in `src/app/api/agents/stats/route.ts` and `src/app/api/agents/status/route.ts`. A potential shell injection vulnerability exists in the `isAgentRunning` function because it interpolates `agentId` directly into a shell command; since the documentation encourages users to customize these IDs in `src/lib/agents.ts`, this presents a risk of command injection. Additionally, the application requires broad read access to the user's `~/.openclaw` directory. While these capabilities are aligned with the stated purpose, they represent a high-risk attack surface without clear evidence of intentional malice.
- External report
- View on VirusTotal