Back to skill
Skillv1.1.0
VirusTotal security
Node.js Project Architecture · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:00 AM
- Hash
- 5e51ac5e56c625dc903a7be880abbfe6bd5874debd486b4194ec13759b28521d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nodejs-project-arch Version: 1.1.0 The skill bundle provides architectural standards for Node.js projects aimed at optimizing AI context usage, but it explicitly instructs the AI to implement a high-risk administrative 'hot-reload' feature. This feature includes code patterns in SKILL.md and docs/Config-Pattern.md that perform direct, unsanitized filesystem writes (fs.writeFileSync) to a configuration file using user-supplied data (req.body). While the intent appears to be developer convenience, this pattern introduces a significant security vulnerability (Arbitrary File Write/Configuration Injection) and promotes a weak authentication mechanism (x-admin-password header) for sensitive administrative actions.
- External report
- View on VirusTotal