Back to skill
Skillv1.0.0
VirusTotal security
openclaw-voice · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- 188772be0d04e35f694cb13097546a0f526b139b4292eb3d3dbf342a01a073b3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-voice Version: 1.0.0 The skill contains multiple vulnerabilities. A path traversal vulnerability exists in `src/backup.js` (exposed via `src/cli.js`'s `backup` and `restore` commands), allowing user-controlled paths to potentially write files or create directories in arbitrary locations. More critically, `src/interchange.js` writes user-controlled data (conversation summaries and voice profile descriptions) directly into markdown files (`interchange/voice/state/recent.md` and `interchange/voice/ops/profiles.md`). Since `SKILL.md` and `README.md` explicitly state these interchange files are read by other AI agents, this creates a significant prompt injection vulnerability, allowing an attacker to inject malicious instructions into other agents.
- External report
- View on VirusTotal