Back to skill
Skillv1.0.1
VirusTotal security
Model Setup · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:49 AM
- Hash
- e6e8b8d693980872ff7373ba84eb14070abc3be3a32281238cc7de04eff97662
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: model-setup Version: 1.0.1 This skill bundle is classified as suspicious due to critical vulnerabilities that could lead to arbitrary command execution and arbitrary file writes. The `SKILL.md` instructs the AI agent to execute shell commands (`python3 scripts/test_model.py`, `python3 scripts/add_model.py`) using user-provided inputs (JSON strings, model IDs, agent paths). If the agent does not properly sanitize or quote these inputs when constructing the shell command, it creates a severe prompt/shell injection vulnerability, allowing arbitrary command execution. Additionally, `scripts/add_model.py` uses a user-provided `agent_path` to construct file paths (`Path(agent_path) / "agent" / "config.json"`), making it vulnerable to path traversal attacks that could allow writing to arbitrary `config.json` files outside the intended directories. The `scripts/test_model.py` also executes `curl` commands with user-provided API keys and base URLs, further expanding the attack surface.
- External report
- View on VirusTotal