Back to skill
Skillv1.0.0
VirusTotal security
Adaptive Learning · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousMar 31, 2026, 8:41 AM
- Hash
- 66e589486d88a980957060ffb069544889dcba4c23cf43877ea5ecf713a0bfef
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: adaptive-learning Version: 1.0.0 The skill bundle contains a critical shell injection vulnerability in `scripts/generate-course.sh`. The script uses an unquoted heredoc (`<<PRELOAD_EOF`) to write the contents of a user-provided `questions.json` file into a JavaScript file, which allows for arbitrary command execution if the JSON content contains shell expansion sequences like `$(...)`. Additionally, the `SKILL.md` instructions direct the AI agent to download external course materials and execute this vulnerable script, creating a high-risk workflow. While the functionality aligns with the stated purpose of creating study apps, the lack of input sanitization and the broad file/network permissions requested make it a significant security risk.
- External report
- View on VirusTotal