Back to skill
Skillv1.0.0
VirusTotal security
Local Task Runner · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:26 AM
- Hash
- 3d8dce582cb5fbbae8e3e8a86b5fe54074bfaaa32b724006bbbf903dc7596156
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: local-task-runner Version: 1.0.0 The 'local-task-runner' skill is designed to execute arbitrary Node.js code provided as a string, writing it to a temporary file and executing it via `child_process.exec` in `index.js`. While this is its stated purpose (as per SKILL.md and README.md), it represents a critical Remote Code Execution (RCE) vulnerability. An attacker could leverage prompt injection against the OpenClaw agent to cause it to pass malicious Node.js code to this skill, leading to arbitrary code execution on the host machine. The skill itself does not contain malicious logic, but its core functionality is a high-risk capability that enables severe attacks.
- External report
- View on VirusTotal