Back to skill
Skillv1.0.0
VirusTotal security
Hot Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 28, 2026, 2:21 PM
- Hash
- 635457d3857cc1dce08ccb16c92fffaf3d5d56f705e0de5d3e5a4f7b493e69ed
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hot-search Version: 1.0.0 The skill provides multi-engine search and image downloading capabilities but contains a path traversal vulnerability in `search_skill.py`. The `search_and_download` function uses the unsanitized `keyword` input to construct local file paths via `os.path.join`, which could allow an attacker to write files to unauthorized locations if the agent is prompted with a malicious keyword (e.g., containing directory traversal sequences). Additionally, the code includes a hardcoded absolute path (`/home/fishsome/.openclaw/workspace/tmp`) specific to the author's environment, indicating a lack of input validation and portability.
- External report
- View on VirusTotal