Back to skill
Skillv1.0.1
VirusTotal security
yula-web-search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 23, 2026, 11:06 AM
- Hash
- a4de0aea7c71f2a8088b50215194895cf7c02a722686475b19138822691fa579
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yula-web-search Version: 1.0.1 The skill implements a web search and content extraction tool by scraping Bing and Google via shell commands. It is classified as suspicious due to a significant shell injection vulnerability in SKILL.md, where the $QUERY variable is directly embedded into a python3 -c command string without adequate escaping, potentially allowing arbitrary command execution if the query contains single quotes or shell metacharacters. While the behavior aligns with the stated purpose and no intentional data exfiltration was found, the reliance on 'curl | python3' execution patterns and lack of input sanitization pose a high security risk.
- External report
- View on VirusTotal