Back to skill
Skillv1.0.3
VirusTotal security
Claw Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:19 AM
- Hash
- fac9b80f70ecb6c7f883b4d3804c12b5b8633b652fa3cf5343b185e120b3147c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claw-search Version: 1.0.3 The skill bundle contains a critical shell injection vulnerability in 'server/search.js', where the 'searchSkillhub' function passes unsanitized user-controlled search queries directly into 'execSync'. This allows for Remote Code Execution (RCE) via queries containing shell metacharacters. Additionally, 'server-v2.js' relies on hardcoded absolute paths in the root directory and executes Puppeteer with the '--no-sandbox' flag, which significantly weakens container security. While the bundle appears to be a functional search tool, these high-risk implementation flaws represent a major security liability.
- External report
- View on VirusTotal