Back to skill
Skillv1.0.2
VirusTotal security
goplaces-togo · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:33 AM
- Hash
- 0a07ccb2bc9659e5d84f4c35f6ec46e26ed9580dce09165f003d766e18e451ac
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: goplaces-togo Version: 1.0.2 The skill exhibits a significant shell injection vulnerability by instructing the AI agent to execute shell commands using the `goplaces` CLI with unsanitized input derived from user-provided CSV files or chat messages (e.g., `goplaces resolve "<place name>"` in SKILL.md). While the logic is consistent with its stated purpose of managing and recommending saved places, the pattern of embedding untrusted strings directly into command-line arguments is a high-risk behavior. The skill also requires the `GOOGLE_PLACES_API_KEY` environment variable and performs persistent local file operations on `skills/goplaces-togo/goplaces-visits.json`.
- External report
- View on VirusTotal