Back to skill
Skillv0.1.0
VirusTotal security
Show Booking · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:01 AM
- Hash
- d42242eb4e3c5cc65308b76a13c330a8e84a95ee12f50c4d3ae13ed331dce67d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: show-booking Version: 0.1.0 The skill bundle is classified as suspicious due to a Local File Inclusion (LFI) vulnerability risk. The Python scripts (`scripts/intake_request.py`, `scripts/orchestrate_showings.py`, `scripts/create_invite_ics.py`) accept file paths as command-line arguments (e.g., `--input-file`, `--input`). A malicious prompt could instruct the AI agent to provide paths to arbitrary sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), potentially leading to information disclosure if the agent is instructed to output error messages or partial content. While the scripts expect JSON input and would error on non-JSON files, the ability to attempt reading arbitrary files without path validation is a significant vulnerability. There is no evidence of intentional malicious behavior like data exfiltration or remote code execution.
- External report
- View on VirusTotal