Back to skill
Skillv1.0.0
VirusTotal security
Tonic System Deploy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:58 AM
- Hash
- fd098a04cfe94a8c9cc648eca4c20c1d35642986c4b7dfb1a6f8293da7d6db5e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tonic-system-deploy Version: 1.0.0 The skill bundle describes a complex software deployment workflow, which inherently requires powerful system interactions. Specifically, the `SKILL.md` file includes explicit shell commands for rollback procedures (`docker compose down && git checkout <prev_tag> && docker compose up`). While these commands are plausible for the stated purpose, they represent a significant shell injection vulnerability if the `<prev_tag>` input is not properly sanitized, potentially leading to Remote Code Execution (RCE). Additionally, the skill instructs the AI agent to perform 'AI analysis' and 'AI assist' in fixing bugs, implying powerful code generation/modification capabilities which, without strict sandboxing, could be risky. There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, but the presence of high-risk, potentially vulnerable commands makes it suspicious.
- External report
- View on VirusTotal