Back to skill
Skillv1.0.2
VirusTotal security
Envelope Sender · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:50 AM
- Hash
- 0cab7d48cba872da1905d519d7ee5b7aec09afb08ebba39cce72b46b5934ee72
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: envelope-sender Version: 1.0.2 The skill bundle instructs the agent to execute shell commands via `npx @esignglobal/envelope-cli` using user-provided inputs like `filePath` and a JSON string for `signers`. This pattern is highly vulnerable to shell injection (RCE) if the agent does not perfectly escape the inputs before execution. While the `SKILL.md` includes commendable safety rules (e.g., absolute path enforcement, PDF validation, and secret handling), the inherent risk of shell interpolation and the use of `npx` to fetch external code, combined with a future-dated `publishedAt` timestamp (2026) in `_meta.json`, warrants a suspicious classification.
- External report
- View on VirusTotal