Back to skill
Skillv1.0.2
VirusTotal security
量子密信-Openclaw对接 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:59 AM
- Hash
- 23bbb1d4acd04da921b6a47591f85a02f6d5a9d0375c9e145b0610a6823a8379
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: quantum-messenger Version: 1.0.2 The skill contains a significant command injection vulnerability in `scripts/listener.mjs` where user-provided content is passed to `child_process.exec` via the OpenClaw CLI. Furthermore, the logic in `listener.mjs` that parses AI responses for `IMAGE:` or `FILE:` prefixes and automatically uploads the referenced paths to an external endpoint (`imtwo.zdxlz.com`) creates a high risk of arbitrary file exfiltration if the AI is manipulated. While these appear to be architectural flaws rather than intentional malware, the combination of remote command execution risk and file access makes the bundle unsafe for production without sanitization.
- External report
- View on VirusTotal