bomb-dog-sniff
skill-bomb-dog-sniff · v1.2.0 · by OpenClaw Security Team
64.0
Trust Score
0
Trust Tier
danger
Badge
Score Breakdown
| Factor | Score | Weight |
|---|---|---|
| Static | 0.0 | 15% |
| Permission | 95.0 | 15% |
| Poison | 100.0 | 15% |
| Clickfix | 100.0 | 15% |
| Credential | 60.0 | 15% |
| Twostage | 5.0 | 10% |
| Infrastructure | 100.0 | 5% |
| Typosquat | 100.0 | 5% |
| Age | 10.0 | 3% |
| Popularity | 0.0 | 2% |
Scan Results
STATIC — Score: 0
[CRITICAL] Remote code download and execution via curl pipe
(line 101)
Dangerous curl | bash pattern detected
[CRITICAL] Remote code download and execution via curl pipe
(line 208)
| **pipe_bash** | HIGH | `curl \| bash`, `wget \| sh` patterns |
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 209)
| **deposit_scam** | HIGH | "Send ETH to 0x...", payment prompts in unexpected contexts |
[CRITICAL] Remote script download piped to shell execution
(line 101)
Dangerous curl | bash pattern detected
[CRITICAL] Remote script download piped to shell execution
(line 208)
| **pipe_bash** | HIGH | `curl \| bash`, `wget \| sh` patterns |
[MEDIUM] Cron job installation or modification
(line 214)
| **file_tamper** | CRITICAL | `.bashrc` modification, crontab editing, SSH authorized_keys manipulation |
[MEDIUM] References to cryptocurrency seed/recovery phrases
(line 202)
| **crypto_harvester** | CRITICAL | Private key extraction, wallet exports, mnemonic theft |
PERMISSION — Score: 95
[LOW] Skill appears to use network but declares no permissions
POISON — Score: 100
No findings.
CLICKFIX — Score: 100
No findings.
INFRASTRUCTURE — Score: 100
No findings.
TWOSTAGE — Score: 5
[CRITICAL] Download piped directly to interpreter (two-stage loader)
(line 208)
| **pipe_bash** | HIGH | `curl \| bash`, `wget \| sh` patterns |
CREDENTIAL — Score: 60
[CRITICAL] SSH key file access or exfiltration
(line 214)
| **file_tamper** | CRITICAL | `.bashrc` modification, crontab editing, SSH authorized_keys manipulation |
TYPOSQUAT — Score: 100
No findings.