Back to skill
Skillv0.1.1
VirusTotal security
Crm · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:36 AM
- Hash
- 446291f866fe6db7d4273b8321b33d66979691ebcd2794aa190c13559d813b93
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill contains several vulnerabilities that could be exploited. The `scripts/crm-index.py` script allows arbitrary file writes via an unvalidated `--output` argument, posing a critical risk for overwriting sensitive system files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`) and potential remote code execution. The `scripts/crm-export.py` script also allows writing to the user's home directory, which is a significant vulnerability. Furthermore, `scripts/crm-add.py` and `scripts/crm-import.py` are vulnerable to YAML injection due to insecure frontmatter construction, which could corrupt contact files. The `SKILL.md` also highlights a prompt injection vector where the AI agent constructs shell commands from user input, which could lead to shell injection if the agent's input sanitization is insufficient.
- External report
- View on VirusTotal