Back to skill
Skillv2.4.1
VirusTotal security
分贝通旅行 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 21, 2026, 7:26 AM
- Hash
- 040a6ac5dd903b08336f87ab95e1ef5accd4393331f68e9b0144cae0bf7af6ad
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: travels Version: 2.4.1 The skill bundle contains several significant security vulnerabilities, although no clear evidence of intentional malice was found. Key issues include the explicit disabling of SSL certificate verification in `scripts/common.py` (using `ssl._create_unverified_context`), which exposes the agent to Man-in-the-Middle (MITM) attacks, and a potential shell injection vulnerability in `scripts/travel_api.py` where `os.system` is used with unsanitized command-line arguments. Additionally, `scripts/hotel_api.py` contains a hardcoded `DEFAULT_ACCESS_TOKEN`. While these are critical flaws, they appear to be poor security practices rather than intentional malware designed for exfiltration or persistence.
- External report
- View on VirusTotal