Back to skill
Skillv0.1.0
VirusTotal security
Todo Boss · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:59 AM
- Hash
- 2cd6f706e1e8a6fd9e10b13244e3ab27c7a02b7447e617ca732612480e130521
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: todo-boss Version: 0.1.0 The skill is highly suspicious due to a critical Remote Code Execution (RCE) vulnerability in `add_task.sh`. User-controlled input (TEXT, TITLE, OWNER, DUE) is directly interpolated into a Python here-document without proper sanitization, allowing an attacker to inject and execute arbitrary Python code. This flaw, while not explicitly malicious in its current form, provides a clear pathway for an attacker to achieve data exfiltration, persistence, or other harmful actions.
- External report
- View on VirusTotal