Back to skill
Skillv1.0.0
VirusTotal security
Skill Auto Attach · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:59 AM
- Hash
- 3540186b70a2afdd22fcd53223c21ea34753eea8da7cd4c7c888c4ef1dbfb6f6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Package: skill-auto-attach (xpi) Version: 1.0.0 Description: Automatic file attachment skill for Telegram The skill's stated purpose is to automatically attach new or updated 'documentation files' (e.g., .html, .md, .txt) from the OpenClaw workspace to Telegram messages. However, the `auto-attach.sh` script monitors for *any* regular file creation or modification within the hardcoded `WATCH_DIR` (`/home/elodyzen/.openclaw/workspace`) and sends it via the `openclaw message send` command. This lack of file type filtering means that sensitive files (e.g., configuration files, private keys, source code with embedded secrets) that are not intended to be shared could be inadvertently copied to `/tmp` and then sent to the configured Telegram channel. While the script includes cleanup for temporary files and uses standard tools, the broad scope of file monitoring combined with the hardcoded watch directory presents a significant potential for unintended data leakage, making it suspicious. The security relies heavily on the user's understanding of what files are in their workspace and the security of the `openclaw` tool itself.
- External report
- View on VirusTotal