Back to skill
Skillv1.0.2
VirusTotal security
Openclaw Diary · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:56 AM
- Hash
- 721b242c8dd64e4bcf9ce9dc1ac948583d03cff6f0fc857adf934626dd094e62
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-diary Version: 1.0.2 The skill is classified as suspicious due to multiple shell injection vulnerabilities identified in SKILL.md. User-provided input (e.g., 'YourRobotName', 'owner/repo', 'username') is directly inserted into `sed`, `curl`, and `git` commands without apparent sanitization, creating clear vectors for arbitrary command execution. Additionally, the skill requires and handles a high-privilege GitHub Personal Access Token (PAT) with 'repo' scope, which could be compromised if these vulnerabilities are exploited. While these are critical flaws, there is no evidence of intentional malicious behavior such as unauthorized data exfiltration, backdoors, or obfuscation; in fact, the 'Privacy Protection' section explicitly instructs the agent against such actions.
- External report
- View on VirusTotal