Back to skill
Skillv1.0.1
VirusTotal security
Comonyx Admin · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:32 AM
- Hash
- 7a16df6eafc38a360adc7a7147e83352b826fdf9da6436f27eed2219a349bfcc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: comonyx-admin Version: 1.0.1 The skill is classified as suspicious due to significant vulnerabilities that could enable data exfiltration and shell injection, even though there's no clear evidence of intentional malice. The `TOOLS.md` file instructs the agent to execute a bash command that sets environment variables (`EMAIL_TO`, `ATTACHMENT_PATH`) using single quotes. If user-provided input for `<recipient>` or `<path-to-file>` contains single quotes, it could lead to shell injection. Furthermore, the `scripts/send-email.py` script allows attaching any file specified by `ATTACHMENT_PATH`. While `SKILL.md` intends this for generated export files, a compromised agent (e.g., via prompt injection) could be instructed to set `ATTACHMENT_PATH` to sensitive system files (e.g., `~/.ssh/id_rsa`, `/etc/passwd`), leading to unauthorized data exfiltration to an arbitrary email address.
- External report
- View on VirusTotal