Back to skill
Skillv1.0.1
VirusTotal security
agent-quantizer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 9, 2026, 1:36 AM
- Hash
- b963ef16a77acaeebab285aef9a87e0222ea75d82d0973af65e8c1be5d03d993
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-quantizer Version: 1.0.1 The skill bundle provides legitimate utilities for token optimization and session management, but it contains critical security vulnerabilities that could be exploited for local command execution. Specifically, scripts/cache.sh and scripts/quantize.sh pass unsanitized shell variables (e.g., $query, $text) directly into Python scripts via 'python3 -c' using triple-quoted strings. An attacker or a malicious prompt could use triple-quotes to break out of the Python string literal and execute arbitrary Python code. While the bundle includes helpful features like session backups and token usage statistics, the lack of input sanitization in scripts designed to process arbitrary agent-generated content poses a significant risk.
- External report
- View on VirusTotal