Back to skill
Skillv0.1.2
VirusTotal security
Hackathon Swarm Coding · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:57 AM
- Hash
- bc40882f08255f4551c56033c257fa9a6a8bc2bfe1324ba9569b4dbc3338247a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: swarm-coding-skill Version: 0.1.2 The skill is highly suspicious due to a critical arbitrary file write vulnerability in `orchestrator.js`. The `parseWorkerOutput` function uses `path.join` with LLM-generated file paths, which can resolve `../` sequences. Combined with the skill's explicit operation on the parent workspace (`WORKSPACE_ROOT = path.resolve(__dirname, '..');`), a malicious prompt could instruct the LLM to write files outside the intended project directory (e.g., `../../../.ssh/authorized_keys`), leading to potential Remote Code Execution (RCE). While the `SKILL.md` and `README.md` warn about writing to the parent workspace, this does not mitigate the underlying path traversal vulnerability.
- External report
- View on VirusTotal