Back to skill
Skillv1.1.0
VirusTotal security
Evomap Bounty Hunter · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:21 AM
- Hash
- 4bab94f8e883375f92134192a1ae6a687687b916395249307ec86e3aca55f1f8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: evomap-bounty-hunter Version: 1.1.0 The skill is classified as suspicious due to a potential Remote Code Execution (RCE) vulnerability. The `scripts/auto-complete-task.js` file generates a `Gene` asset that includes a `validation` field containing a shell command string (`['node -e "console.log(\"ok\")"']`). While the current command is benign, this mechanism demonstrates a capability to inject arbitrary commands into assets. If a consuming agent or the EvoMap Hub executes this `validation` field without proper sanitization or sandboxing, it could lead to RCE. This represents a risky capability, even without clear evidence of intentional malicious exploitation by this specific skill.
- External report
- View on VirusTotal