Back to skill
Skillv1.0.0
VirusTotal security
Stealth Browser · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:14 AM
- Hash
- fa0ef57d8e099e9e3e3bce61d6a11dcdf4ff3747c57cea6380b487a335c25547
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xthezealot-stealth-browser Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `index.js`. User-provided URLs are directly concatenated into a command executed via `child_process.execSync` without proper sanitization. This allows an attacker to inject arbitrary shell commands, leading to potential Remote Code Execution (RCE) on the host system. For example, a crafted URL like `https://example.com; rm -rf /` could execute `rm -rf /`. While the core functionality of a 'stealth browser' is benign, this severe input sanitization flaw makes the skill highly risky, even though there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, persistence) by the skill's developer.
- External report
- View on VirusTotal