Back to skill
Skillv1.0.0
VirusTotal security
Agent Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:33 AM
- Hash
- ac4df7f3f7104118956cc2dd444851625da140ba0a31f2658d599bb678064100
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-manager-v1 Version: 1.0.0 The skill bundle contains critical security vulnerabilities and high-risk coding practices. The primary issue is a shell injection vulnerability in 'server.js' and 'server-gemini.js', where user-provided chat messages are insufficiently sanitized before being passed to 'child_process.exec()', allowing for arbitrary command execution. Additionally, 'cli.js' uses 'execSync' to construct shell commands with 'curl', and 'server.js' contains a hardcoded OpenClaw operator token. While these appear to be severe architectural flaws rather than intentional malware, the bundle's instructions in 'SKILL.md' to manually extract sensitive tokens and the overall lack of input validation pose a significant risk to the host system.
- External report
- View on VirusTotal