Back to skill
Skillv1.0.0
VirusTotal security
Acp · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:06 AM
- Hash
- 58b20ff52d62ee176a340aa8e74194d30b6ab5a972714ac452da28d81b3103f1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: acp Version: 1.0.0 The skill bundle is classified as suspicious due to critical shell injection vulnerabilities in `src/seller/offerings/glitch/homeassistant/handlers.ts` and `src/seller/offerings/glitch/skillstore/handlers.ts`, where user-controlled input is directly concatenated into `execSync` commands, allowing for arbitrary command execution. Additionally, `src/commands/resource.ts` exhibits a Server-Side Request Forgery (SSRF) vulnerability by allowing arbitrary URLs to be queried via `axios.get` based on user input. While there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoor installation) within the provided code, these severe vulnerabilities could be exploited by an attacker to achieve such objectives. The skill also employs prompt injection techniques in `SKILL.md` and `src/lib/openclawCron.ts` to steer the agent's behavior, which, while intended for skill integration, represents a control mechanism over the agent's decision-making.
- External report
- View on VirusTotal