Back to skill
Skillv3.4.2
VirusTotal security
Nlp · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:22 AM
- Hash
- 2cf6348efdf33ab5809d8f6d6ea8e664160b9f12a5b976b99a91ae215ed0f890
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nlp Version: 3.4.2 The skill provides a functional NLP toolkit in Bash but contains a shell injection vulnerability in the `cmd_classify` function within `scripts/script.sh`. The `--categories` argument is parsed and its values are used directly within a `grep` command inside a subshell (`$(...)`) without sanitization, allowing for arbitrary command execution if an attacker provides crafted category names. While there is no evidence of intentional malice or data exfiltration, this critical security flaw poses a significant risk if the agent processes untrusted input.
- External report
- View on VirusTotal