Back to skill
Skillv2.0.0
VirusTotal security
LSP Code Navigation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:47 AM
- Hash
- 6a6e4f1b941be52cd286a5848d4e71bbf565a1edf730aab2f875cc72aa2de7ba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lsp Version: 2.0.0 The skill provides a multi-language LSP client. The `SKILL.md` is descriptive and does not contain prompt injection attempts. The `lsp-query.py` script uses standard Python modules and subprocess calls to manage LSP servers. The most significant finding is the `LSP_SERVER` environment variable, which, if set, allows overriding the default language server command with an arbitrary command (found in `scripts/lsp-query.py`). While intended for flexibility, this creates a critical remote code execution (RCE) vulnerability if an attacker can control this environment variable, as the script will execute the provided command. This is a design flaw that enables potential attacks, classifying it as suspicious rather than malicious, as there's no evidence of the skill itself attempting to exploit this.
- External report
- View on VirusTotal