Back to skill
Skillv1.0.0
VirusTotal security
Agents-Manager-and-IM · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:40 AM
- Hash
- a2747e52c6a2bfba49cab07dd0233c5dbf1f4ef3eb25fe9fc4fcdd85c7a6cef2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-im-manager-v100 Version: 1.0.0 The skill bundle provides a management interface for OpenClaw agents but contains critical security vulnerabilities that could lead to Remote Code Execution (RCE). Specifically, 'server.js' and 'server-gemini.js' use 'child_process.exec' to run CLI commands where user-provided chat messages are only partially sanitized (escaping double quotes), leaving the system vulnerable to shell injection via subshells (e.g., using $() or backticks in zsh). While the behavior aligns with the stated purpose and includes a 'SECURITY.md' claiming safety, the high-risk implementation of shell command construction and the requirement for users to manually input sensitive Operator Tokens into 'config.json' make the bundle dangerous in its current state.
- External report
- View on VirusTotal