Back to skill
Skillv1.5.0
VirusTotal security
Godot Game Claw Bridge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 6:03 AM
- Hash
- 0c17488277a3e6fbc0c29178d413cb8d4b56ab6f6d15bc2ffb0e7dcd1f264698
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: godot-bridge Version: 1.5.0 The skill bundle provides a Godot 4.x project generator, but contains several high-risk security vulnerabilities in 'clawbridge.js'. Specifically, the 'open' command uses 'execSync' to execute the 'godot' binary using the current working directory path without sanitization, which could lead to command injection if the directory name contains shell metacharacters. Additionally, the script performs file operations and content generation using unsanitized user input, making it vulnerable to path traversal and file content injection. While these appear to be unintentional flaws rather than intentional malware, they represent a significant security risk for an automated agent.
- External report
- View on VirusTotal