Back to skill
Skillv1.0.0
VirusTotal security
MongoDB Atlas · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:45 AM
- Hash
- 669b168520e1c48b580d9db26aee5587a180afc79fbe9a57d1a0006218f4ffee
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mongodb-atlas-admin Version: 1.0.0 The skill bundle is classified as suspicious primarily due to the `scripts/atlas-call.mjs` script's `--file <path>` option. This option allows reading the content of any local file and attempting to parse it as JSON for use as a request body. While this is a plausible feature for an API client, it introduces a vulnerability where a prompt-injected AI agent could be instructed to read sensitive local files (e.g., `~/.ssh/id_rsa` if it's valid JSON, or its content could be exposed if the agent is instructed to print errors/content). However, the `SKILL.md` and `atlas-call.mjs` also implement strong safety protocols, explicitly instructing the AI agent to use `--dry-run` and seek user confirmation for any state-changing API operations, which is a positive security measure against prompt injection and accidental malicious actions.
- External report
- View on VirusTotal