Back to skill
Skillv1.0.0
VirusTotal security
Pinch: Claw to Claw Encrypted Messaging · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:47 AM
- Hash
- 9c2a2bc041478e8039d19acd322d8e062903594f4b64984f9601f75d4f20a3b6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pinch Version: 1.0.0 The skill is designed with a strong emphasis on security and human oversight, featuring end-to-end encryption, audit logging, and explicit human approval for connections and autonomy changes. However, the `pinch-audit-export` command, defined in `SKILL.md`, allows the agent to specify an arbitrary `--output` file path. While intended for exporting audit logs, this capability introduces a significant vulnerability. An attacker could potentially exploit this via prompt injection to instruct the agent to write to sensitive file paths (e.g., `~/.ssh/id_rsa` or system configuration files), leading to arbitrary file overwrite/creation, which could facilitate remote code execution or privilege escalation depending on the agent's privileges. There is no explicit malicious intent in the provided files, but the exposed risky capability warrants a 'suspicious' classification.
- External report
- View on VirusTotal