Back to skill
Skillv1.0.0
VirusTotal security
done · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:43 AM
- Hash
- b76468977d41763890a2a44f119ae6a7bb224f7f7e0065a594fb8f5564f96b69
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: done Version: 1.0.0 The skill bundle contains a critical path traversal vulnerability in `install.py`. The `skill_name` is extracted from the `SKILL.md` file within a user-provided ZIP without sanitization, allowing an attacker to potentially delete or overwrite arbitrary directories (e.g., `~/.ssh`) via `shutil.rmtree` and `shutil.copytree`. Additionally, the script contains hardcoded Windows paths for a specific user profile (`yanha`), which is highly irregular for a general-purpose tool and suggests it was not designed with multi-user security in mind.
- External report
- View on VirusTotal