Back to skill
Skillv1.1.0
VirusTotal security
Validator Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:06 AM
- Hash
- 945d74a3d25609eb39b09b31d2ba7076b53d25d505d173a928966fe64c02bb75
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: validator-agent Version: 1.1.0 The skill is highly suspicious due to critical shell injection vulnerabilities. The `<project>` placeholder, which is user-controlled input, is directly concatenated into multiple `cd <project> && ...` shell commands within SKILL.md (e.g., Round 0, Round 1, Round 2, Round 3, Round 4). This allows an attacker to inject arbitrary shell commands, leading to Remote Code Execution (RCE). Additionally, the report saving path `ops/reports/validator-YYYY-MM-DD-HH-[project].md` uses the unsanitized `<project>` input, creating a path traversal vulnerability that could allow writing the report to arbitrary file system locations.
- External report
- View on VirusTotal