Back to skill
Skillv1.0.0
VirusTotal security
Tavily Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:03 AM
- Hash
- 030753da4b6939219d7faff78a515bad68b3d772ccf0776f3d1b739bcdcb319b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tavily-search-yourname Version: 1.0.0 The skill bundle is classified as suspicious due to a critical shell injection vulnerability found in `openclaw-wrapper.js`. This file uses `child_process.execSync` to construct a command string by directly embedding user-controlled input (`process.argv[2]`) without proper sanitization or escaping, leading to arbitrary command execution if this wrapper is invoked. While `SKILL.md` does not instruct the agent to use this specific wrapper, its presence in the bundle constitutes a significant security flaw. The other scripts (`scripts/search.mjs`, `scripts/extract.mjs`) handle user input safely by embedding it into JSON payloads for API calls, and `SKILL.md` contains no direct prompt injection attempts.
- External report
- View on VirusTotal