Back to skill
Skillv4.0.0
VirusTotal security
Slack Automator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:51 AM
- Hash
- 550e909ecea6dcfe7a0889489738fc3e3540f1ffe82c4da23e3fa755af683a9f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: slack-automator Version: 4.0.0 The script 'scripts/script.sh' contains multiple critical command injection vulnerabilities where shell variables are unsafely interpolated into Python heredocs (e.g., in _json_set, _build_payload, and _record_history). Because the script uses triple quotes (e.g., """$value""") to pass data to Python without escaping, an attacker could execute arbitrary Python code by providing a message or configuration value containing triple quotes and Python commands. While this appears to be a significant architectural flaw rather than intentional malware, it represents a high-risk execution environment.
- External report
- View on VirusTotal