Back to skill
Skillv0.1.1
VirusTotal security
Agent Communication · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 4:40 AM
- Hash
- 4b8457c9a70bbb6165a3ee1e3167130af76290c209f917e81113bed34a719499
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-communication Version: 0.1.1 The skill bundle contains multiple path traversal vulnerabilities across `scripts/broker.py`, `scripts/send.py`, `scripts/status.py`, and `scripts/workspace.py`. These scripts use user-controlled inputs (such as `agent_id`, `to`, and `key`) directly in file path constructions without sanitization. This allows a malicious agent to read, write, or delete arbitrary files on the system by injecting path traversal sequences (e.g., `../`) into these inputs, potentially leading to information disclosure, arbitrary code execution, or denial of service. While there is no clear evidence of intentional malicious behavior, these critical vulnerabilities make the skill suspicious.
- External report
- View on VirusTotal