Back to skill
Skillv1.0.0
VirusTotal security
Dissertation Workflow Core · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:55 AM
- Hash
- 29ea16b54fece9fd9124ccfc7cd1dd6980d9455750b0868d84f65ce656c36e69
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dissertation-workflow-core Version: 1.0.0 The skill bundle is designed for a legitimate academic workflow. However, it instructs the AI agent to execute local Python scripts (`status_tracker.py`, `zotero_connector.py`) via shell commands in `SKILL.md`. Specifically, the `zotero_connector.py` script is called with parameters like `"query"` and `"doi_or_metadata"`, which are likely derived from user input or agent-generated content. If the agent does not properly sanitize these parameters before constructing the shell command, and if the Python scripts themselves are vulnerable to shell injection (e.g., using `os.system()` or `subprocess.run(..., shell=True)` without proper escaping), this creates a significant remote code execution vulnerability. This is a critical flaw that allows for potential attacks, classifying the skill as suspicious rather than benign, but without clear evidence of intentional malicious design.
- External report
- View on VirusTotal