Back to skill
Skillv1.0.0
VirusTotal security
Variant Annotation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:44 AM
- Hash
- 238d90174cec8c8f28d6c1ad1e2757cc3ec1b29bd1c9ba66c21da43d65fabb11
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: variant-annotation Version: 1.0.0 The skill's core functionality is benign, designed for legitimate bioinformatics variant annotation. However, the `scripts/main.py` file contains a significant arbitrary file read/write vulnerability. The `main()` function directly uses `args.file` and `args.output` parameters with `open()` without any path sanitization or restriction, potentially allowing an attacker to read or write to arbitrary file paths on the host system if the execution environment is not sufficiently sandboxed. While `SKILL.md` mentions 'Output directory restricted to workspace' and 'Script execution in sandboxed environment' in its security checklist, the code itself does not enforce these restrictions, making it a vulnerability rather than malicious intent.
- External report
- View on VirusTotal