Back to skill
Skillv1.0.2
VirusTotal security
perfguard · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 14, 2026, 3:31 PM
- Hash
- f011cbe8b4b57bb9674293bac45f19244b66992eae885f6c3f4b7f748acdbfcd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: perfguard Version: 1.0.2 The skill contains a critical command injection vulnerability in `scripts/license.sh`. The `extract_field` and `decode_jwt_payload` functions interpolate decoded JWT payload data (user-controlled via the license key) directly into `python3 -c` and `node -e` execution strings without sanitization, allowing for arbitrary code execution via a crafted license key. Additionally, the `show_trend` command in `scripts/analyzer.sh` performs automated `git checkout` operations on historical commits, which is an invasive operation that could trigger unexpected side effects or git hooks in certain repository environments.
- External report
- View on VirusTotal