Back to skill
Skillv1.0.2
VirusTotal security
Tarkov API + Wiki Hardcore Assistant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:05 AM
- Hash
- 4a77bd94ad878cd60705ee8956fc80e63f57d6b067a0184275941338a59c8a5b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tarkov-api Version: 1.0.2 The skill is classified as suspicious due to a Local File Inclusion (LFI) vulnerability in the `stash-value` command within `scripts/tarkov_api.py`. The script directly reads the file path provided by the `--items-file` argument without validation or sandboxing, allowing a prompt-injected AI agent to potentially read arbitrary files on the system (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). While the skill's overall design and documentation (`SKILL.md`, `references/security-model.md`) emphasize security and explicitly forbid malicious actions like remote code execution, this LFI risk constitutes a significant vulnerability that could lead to sensitive data exposure.
- External report
- View on VirusTotal