Back to skill
Skillv1.2.0
VirusTotal security
Brand Monitor - 品牌舆情监控 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:38 AM
- Hash
- e6d9e345a396949160add43bed7edddc185ecc5d54b5afd62ab51647b6c347dd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: brand-monitor Version: 1.2.0 The skill is classified as suspicious due to critical shell injection vulnerabilities found in `prompts/monitor.md` and `prompts/alert.md`. These prompts instruct the OpenClaw agent to execute shell commands (`python search_crawler_serpapi.py ...`) where templated variables (e.g., `{{brand_name}}`, `{{platforms_list}}`) are directly embedded without proper sanitization, allowing a malicious user to inject arbitrary commands via prompt manipulation. Additionally, `prompts/monitor.md` instructs the agent to use `web_fetch` on URLs derived from external search results, which could lead to Server-Side Request Forgery (SSRF) or fetching of malicious content. While the skill's stated purpose and Python code do not show explicit malicious intent, these vulnerabilities pose a significant risk of remote code execution and unauthorized data access.
- External report
- View on VirusTotal