Back to skill
Skillv1.0.0
VirusTotal security
Nest SDM · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:07 AM
- Hash
- 96d509ae2a4288a4465df4365f3be6d013d83cd25db7e6d3fc760bd05dfd9e50
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nest-sdm Version: 1.0.0 The skill is classified as suspicious due to several shell/JSON injection vulnerabilities found in `nest-events.sh` and `nest-sdm.sh`. User-controlled input (e.g., device names, thermostat settings, raw API body) is directly interpolated into `python3 -c` strings and `curl -d` JSON payloads without robust sanitization. This could allow an attacker to craft malicious input to perform unintended API actions or potentially execute arbitrary commands. For example, `nest-sdm.sh`'s `cmd_api` function directly passes user-supplied JSON to the API, and `nest-events.sh`'s `send_telegram_alert` and `format_event_alert` functions are vulnerable to Python string injection if input contains specific quote characters. While these are significant vulnerabilities, there is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence, or obfuscation; all network calls are to legitimate Google and Telegram APIs for the skill's stated purpose.
- External report
- View on VirusTotal