Back to skill
Skillv1.0.0
VirusTotal security
Journal Matchmaker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:44 AM
- Hash
- 494acc3361d33871baadfe6435af4f7c463eeb56f3d0f2874473d977938c5949
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: journal-matchmaker Version: 1.0.0 The skill bundle is classified as suspicious due to a critical path traversal vulnerability in `scripts/main.py`. When the `--file` argument is used, the `args.abstract` parameter is directly used as a file path without any sanitization or validation, allowing an attacker to read arbitrary files on the system (e.g., `../../../../etc/passwd`). While the `SKILL.md`'s security checklist claims 'Input file paths validated (no ../ traversal)', the Python code does not implement this protection. There is no evidence of intentional malicious behavior like data exfiltration or persistence, but the vulnerability poses a significant security risk.
- External report
- View on VirusTotal