Back to skill
Skillv1.0.3
VirusTotal security
karakeep-sh · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:54 AM
- Hash
- 65b4f4d0ba8220cdf59e8f33df7093282688c7cb8e3f5c67fc19ca46ad1d5ca5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: karakeep-sh Version: 1.0.3 The skill bundle provides a functional interface for the Karakeep bookmark manager, but it contains a command injection vulnerability in the `kb-create-list` function within `scripts/karakeep-script.sh`. This function directly interpolates shell variables (`$name` and `$icon`) into a double-quoted string passed to `curl`, which allows for arbitrary command execution if the input contains shell metacharacters (e.g., `$(command)`). While most other functions correctly use `jq` for parameter handling, this specific flaw represents a significant security risk, although there is no clear evidence of intentional malice.
- External report
- View on VirusTotal