Back to skill
Skillv1.0.0
VirusTotal security
letterboxd-companion · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:10 AM
- Hash
- cd14a50b2b1cd6e4f1d4af2adb6b30e3d5f25accb73e7ad7b952cebbe5a7e53e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: letterboxd-tracker Version: 1.0.0 The skill is classified as suspicious due to a potential shell injection vulnerability identified in `SKILL.md`. The command definitions, such as `python lb_tool.py user "{{username}}"`, directly embed user-controlled parameters into a shell command string. If the OpenClaw agent does not properly sanitize or escape the `{{username}}` (or `{{slug}}`, `[limit]`) input before execution, an attacker could inject arbitrary shell commands, leading to potential Remote Code Execution (RCE). The Python script `lb_tool.py` itself appears benign and performs its stated purpose.
- External report
- View on VirusTotal