Back to skill
Skillv1.0.0
VirusTotal security
Gog Html Email · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:02 AM
- Hash
- 4a09cf4122baf05d1cbf750c61c0bd35c8a9f8c3317f49f4100ff042940036ed
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gog-html-email Version: 1.0.0 The skill bundle is suspicious due to a shell injection vulnerability in its templating mechanism. The `SKILL.md` instructs the AI agent to use `sed` commands to replace placeholders in HTML templates with user-provided content. Specifically, examples like `sed "s|\[MESSAGE\]|$MESSAGE|g"` use double quotes, which allow shell variable expansion. If a malicious user provides crafted input containing shell metacharacters (e.g., `$(command)`, `|`, `;`) for placeholders like `[MESSAGE]` or `[BUTTON_URL]`, it could lead to arbitrary command execution on the host system. The skill does not provide instructions for sanitizing user input before passing it to `sed`.
- External report
- View on VirusTotal