Skillv1.0.0

VirusTotal security

Skill Updater · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewMay 1, 2026, 5:12 AM

Hash: dd29c9161fe87acd0dd38deebd3447711693ef66066710e374225f2c49e8319a
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: wells1137-skill-updater Version: 1.0.0 The `scripts/update.sh` file is highly suspicious due to a critical arbitrary script execution vulnerability. It prompts the user for a `REPO_PATH` and then executes `bash "$REPO_PATH/scripts/release.sh"` within that user-provided directory. This allows a malicious user to specify a path to a repository containing their own crafted `release.sh` script, leading to arbitrary code execution on the system running the agent. While the arguments passed to `release.sh` are quoted, the path to the script itself is unsanitized user input, making it a severe shell injection risk.
External report: View on VirusTotal