Skillv1.0.0

VirusTotal security

gemini-file · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewMay 1, 2026, 5:41 AM

Hash: ad6a130685236d7365582e1383110e6cc881b4c538ad9aef9afda99c8452db81
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: gemini-file Version: 1.0.0 The skill bundle is classified as suspicious due to a path traversal vulnerability in gemini_file_runner.py. The script accepts --output-file and --output-dir arguments that are joined using pathlib without sanitization; because pathlib.Path join logic allows absolute paths to override the base, an attacker could manipulate the agent into overwriting arbitrary system files. Additionally, SKILL.md contains hardcoded absolute paths (/Users/shichen/...) specific to a single user's environment, which is a functional flaw and suggests the bundle was not properly audited for general use.
External report: View on VirusTotal