Sha256 Tool
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: sha256-tool Version: 1.0.0 The skill is a straightforward SHA-256 hashing utility. While the implementation in scripts/sha256.py contains a minor vulnerability by reading the entire file into memory at once (which could lead to memory exhaustion for very large files), there is no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked without an explicit file, the tool may read a local file named a.txt instead of hashing piped text.
The script reads a provided file path, or a default local file named a.txt if no argument is given. This is purpose-aligned for file hashing, but differs from the documented stdin example and could hash an unexpected local file.
h.update(open(sys.argv[1] if len(sys.argv) > 1 else "a.txt", "rb").read())
Use an explicit file path when invoking the tool, and consider updating the script to support stdin or fail safely when no input is provided.
The skill may not run as documented unless the environment already provides a matching command or wrapper.
The documentation references a sha256-tool command, but no install specification explains how that command is created from the included script.
No install spec — this is an instruction-only skill.
Verify the actual installed command or invoke the included Python script directly if appropriate.