Back to skill
Skillv1.0.0
VirusTotal security
Compliance Audit · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:00 AM
- Hash
- 4f8759c95e77bd81b0f5e969bffcf948e008b50801092a0e39ae2f3930fa5ced
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: arc-compliance-audit Version: 1.0.0 The skill bundle implements a legitimate audit trail with integrity verification. However, the `scripts/audit.py` script accepts a `--details` argument as a JSON string, which is then parsed using `json.loads()`. If the OpenClaw agent constructs the command to invoke this skill by directly concatenating unvalidated user input into the `--details` argument without proper shell escaping, it could lead to a shell injection vulnerability (e.g., `python3 ... --details "user_input_here"`). While the skill itself is not malicious and the `SKILL.md` provides benign examples, this design exposes a potential command injection vector if the calling agent's implementation is flawed, classifying it as a vulnerability rather than intentional malice.
- External report
- View on VirusTotal