Back to skill
Skillv7.18.1
VirusTotal security
Agile Workflow · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:27 AM
- Hash
- d5156c91e16ec68e7877c56fb2453bb0284146534bf038a4bad73331f250124f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agile-workflow Version: 7.18.1 The bundle implements a highly complex and well-documented workflow engine for multi-agent collaboration. It is classified as suspicious primarily due to significant Command Injection vulnerabilities in core/task-scheduler.js, core/failure-handler.js, and core/agent-supervisor.js, where unsanitized task descriptions and project names are interpolated directly into shell command strings via child_process.exec. The skill also establishes persistence through crontab modifications and opens a network port (8080) for a monitoring dashboard (dashboard/backend/server.js). While these capabilities are consistent with the stated goal of an automated, self-healing workflow engine, the lack of input sanitization during shell execution creates a high risk of remote code execution if an agent processes a maliciously crafted task description.
- External report
- View on VirusTotal