Back to skill
Skillv1.0.0
VirusTotal security
Clash Node Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:02 AM
- Hash
- b2d9e89595c9c01f3935757735c5254e10a3cf1e61994ae36e61a9071f0d6755
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clash-node-manager Version: 1.0.0 The skill is classified as suspicious due to two primary vulnerabilities. Firstly, the `SKILL.md` instructions directly embed user-provided input (e.g., `<node_name>`, `<group_name>`) into shell commands, creating a prompt injection risk that could lead to arbitrary command execution if the AI agent does not properly sanitize or quote the input. Secondly, the `check_clash.py` script allows specifying an arbitrary `--api-url`, which introduces a Server-Side Request Forgery (SSRF) vulnerability. An attacker could exploit this to make the agent send requests to internal network resources or other local services, potentially leading to information disclosure. There is no clear evidence of intentional malicious behavior like data exfiltration to external servers or persistence mechanisms.
- External report
- View on VirusTotal