Back to skill
Skillv0.1.2
VirusTotal security
AOI Sandbox Shield (Lite) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:02 AM
- Hash
- 599a67578b6d4079e921b1f38c43aed42420cd987d53989f8eae35c950b3e9fd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: aoi-sandbox-shield-lite Version: 0.1.2 The `skill.js` file contains a `validateConfig` function that reads the content of an arbitrary file path provided via the `--path` argument using `fs.readFileSync`. While the stated purpose is to validate JSON, this capability allows reading any file the process has permissions for. The file content (or parsing error) is then printed to `stdout`. This creates an information disclosure vulnerability, as an attacker could potentially use prompt injection against the OpenClaw agent to read sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and capture the output, even though the skill itself does not perform external data exfiltration. This is a risky capability without clear malicious intent within the code itself.
- External report
- View on VirusTotal