Back to skill
Skillv1.2.0
VirusTotal security
Paragraph · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:39 AM
- Hash
- d7638bd9b5197cd7fa139b1b8e4d58bd76d807197d20da3bc2f653d89c0f642b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: paragraph Version: 1.2.0 The skill provides a functional integration for Paragraph.com but includes high-risk capabilities that warrant a suspicious classification. Specifically, the `paragraph_importSubscribers` tool in `skill.js` performs unvalidated local file reads using `fs.readFileSync(csvPath)`, which could be exploited for arbitrary file access if the agent is manipulated. Additionally, the implementation allows the API base URL to be overridden via environment variables, which could potentially be used to redirect sensitive API keys and data to unauthorized endpoints.
- External report
- View on VirusTotal