Back to skill
Skillv1.0.0
VirusTotal security
hugme · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:49 AM
- Hash
- d6748d6b44229f1bd28abe95819b44c0dea7c669d96abbe2fc370bd49314016d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hugme Version: 1.0.0 The skill is suspicious due to a critical command injection vulnerability. The `SKILL.md` instructs the AI agent to generate an `<emotion>` value (potentially a 'custom word' based on user input) and then directly embeds this value into a `curl` command string without explicit sanitization. Given the broad `allowed-tools: Bash(curl *)` permission, an attacker could craft a prompt that causes the agent to generate an `<emotion>` value containing shell metacharacters, leading to arbitrary command execution on the host system via the `curl` fallback in `SKILL.md`. While the stated purpose of fetching from `hugllm.com` is benign, the implementation exposes a severe RCE risk.
- External report
- View on VirusTotal