Back to skill
Skillv1.0.0
VirusTotal security
skill-isolator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:39 AM
- Hash
- e46aaccd7d3a8b88425a870a25a87a88ffb3289f16d731a8ba07a6c13e9b89f5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-isolator Version: 1.0.0 The skill bundle provides a utility for project-based skill isolation but contains a shell injection vulnerability. In `scripts/sync-project-skills.js`, the `installFromClawhub` function uses `execSync` to execute shell commands constructed directly from the `skillName` and `version` fields found in the `.openclaw-skills.json` configuration file without any sanitization. A maliciously crafted configuration file could exploit this to run arbitrary system commands. While the overall logic appears aligned with its stated purpose and lacks evidence of intentional malice or data exfiltration, the high-risk implementation of system calls qualifies it as suspicious.
- External report
- View on VirusTotal