Back to skill
Skillv1.0.0
VirusTotal security
Skill 1 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:22 AM
- Hash
- 4c14f001e85c8edc73dfc025a7b40858ad01316e4c40947b0972175191cc29ef
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-1 Version: 1.0.0 The skill is classified as suspicious due to a path traversal vulnerability in `scripts/generate_qr.py`. The script uses `args.output` directly for file saving (`img.save(args.output)` and `open(args.output, 'w')`) without sanitizing the path. This allows an attacker to specify an output path containing `../` sequences, potentially writing files to arbitrary locations on the filesystem, which is a critical security flaw. While the `SKILL.md` is benign and the `pip install` via `subprocess` uses hardcoded, legitimate package names, the arbitrary file write vulnerability makes the skill risky.
- External report
- View on VirusTotal