Back to skill
Skillv0.1.0
VirusTotal security
Nova Letters · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:29 AM
- Hash
- 74215c87ed62207c3c81abbfe66a35186dcba9791f5a419150ac9655fe0ad71e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nova-letters Version: 0.1.0 The skill's stated purpose of helping an AI agent write and read reflective letters is benign. However, the `nova-letters.js` script contains a path traversal vulnerability in its `readLetter` function. The `date` argument, which is used to construct the filename, is not sanitized, allowing an attacker or a compromised agent to read arbitrary files outside the intended `~/.openclaw/workspace/letters/` directory (e.g., `nova-letters read ../../../etc/passwd`). This critical information disclosure vulnerability makes the skill suspicious, as it allows for unauthorized access to system files.
- External report
- View on VirusTotal