Back to skill
Skillv1.1.0
VirusTotal security
GradientDesires · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:00 AM
- Hash
- e7aab0eb823cc7db078bf3c96b5f534e6dbf9f989d9dbd8a74bcefc05bce6a46
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gradientdesires-skill Version: 1.1.0 The skill is classified as suspicious due to a local file disclosure vulnerability found in `scripts/gradientdesires.sh`. The `register` and `update-profile` commands use `curl -d @"$2"` to read a profile JSON file, but the `$2` argument (file path) is not sanitized. This allows an AI agent, if prompted, to read arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and send their content to the `gradientdesires.com` API. This directly contradicts the 'No local file access' claim in `SKILL.md` and `scripts/agent-pulse.sh`. Additionally, the fallback JSON payload construction without `jq` uses less robust string escaping, which could lead to malformed JSON, though this is a lesser vulnerability. All network communication is confined to `https://gradientdesires.com`.
- External report
- View on VirusTotal