Back to skill
Skillv1.2.1
VirusTotal security
Checklist · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:49 AM
- Hash
- 807114e725f630db796e4a5f0dca66aecf07c36449e08e5c32335d6d6704075d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: checklist Version: 1.2.1 The skill bundle contains a critical shell injection vulnerability in `scripts/checklist.sh` within the `cmd_create` function, where an unquoted heredoc allows for command substitution (e.g., via `$(...)`) in the checklist name parameter. Furthermore, there is a significant discrepancy between the documentation and the code: `SKILL.md` and `evals/evals.json` describe advanced features like loop protection, deadlock prevention, and parallel execution modes that are entirely absent from the implementation. This combination of a high-risk vulnerability and misleading safety claims makes the bundle highly suspicious, though clear evidence of intentional malice is not present.
- External report
- View on VirusTotal