Back to skill
Skillv0.2.11
VirusTotal security
MetriLLM · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:54 AM
- Hash
- 9fcea508c56d523f28fbbe05574cd049e7f92922fc387a5d9b19f2c1ad0bdd74
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: metrillm Version: 0.2.11 The skill bundle contains a shell injection vulnerability in SKILL.md by instructing the agent to pass unvalidated $ARGUMENTS directly into Bash commands (e.g., `metrillm bench --model $ARGUMENTS`). It also performs high-risk operations including a global npm installation and optional data exfiltration of hardware and performance metrics to an external endpoint (metrillm.dev). While these actions are documented and align with the tool's purpose as a benchmark utility, the combination of broad Bash permissions and the injection risk poses a significant security threat.
- External report
- View on VirusTotal