Back to skill
Skillv1.0.0
VirusTotal security
Model Deploy Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:18 AM
- Hash
- 8a9a5a8ff04991150c1fd806dd576e5756992693cbd4aa9f7c3bccff963c4b2f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: model-deploy Version: 1.0.0 The skill is classified as suspicious due to shell injection vulnerabilities in `scripts/deploy.sh`, where variables such as `${MODEL_PATH}` and `${MODEL_NAME}` are used unquoted in commands like `mkdir` and `vllm serve`. Furthermore, the instructions in `SKILL.md` direct the agent to perform remote execution via SSH using user-provided parameters (e.g., model name, organization) without explicit sanitization, which could be exploited to achieve Remote Code Execution (RCE) on the target GPU server.
- External report
- View on VirusTotal