Back to skill
Skillv1.0.2
VirusTotal security
Dead Or Not · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:01 AM
- Hash
- a8ce919d929004d56b837af97d76aec2636fdd1b8e8a03d50bd1a558db497c6b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dead-or-not Version: 1.0.2 The skill is classified as suspicious due to several critical vulnerabilities that could lead to arbitrary command execution and credential exposure. The `SKILL.md` instructs the agent to add a cron job using `crontab` with a placeholder `/path/to/check.sh`, which is a significant shell injection risk if the agent resolves this path insecurely. Additionally, the `scripts/check.sh` script uses `source "$CONFIG_FILE"`, allowing arbitrary command execution if the configuration file (`~/.openclaw/apps/deadornot/config`) is compromised. Finally, sensitive SMTP credentials are stored in plain text within this configuration file, posing a risk of exposure.
- External report
- View on VirusTotal