Back to skill
Skillv1.0.1
VirusTotal security
Skill Security Scanner · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:05 AM
- Hash
- c371959d063ba5744e4da51fcb63ec6d0d9e323a1f7b4d4eb6ed8a6a29fecb83
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-security-scanner Version: 1.0.1 The skill is designed to be a security scanner, which is a benign purpose. However, the `scripts/scan-skill.sh` script contains a critical shell injection vulnerability. The `BINS` variable, which is populated from the content of the *scanned skill's* `SKILL.md` file, is echoed without quotes (`echo " • bins: $BINS"`). This allows a malicious `SKILL.md` to inject arbitrary shell commands into the scanner script, leading to potential Remote Code Execution (RCE) on the system running the scanner. This is a vulnerability, not intentional malice by the scanner itself, hence classified as suspicious.
- External report
- View on VirusTotal