Back to skill
Skillv1.0.0
VirusTotal security
Weather Push · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:57 AM
- Hash
- 6f3333ab9e179719c5a9fde464c121d60f7fb247602813c1ac299782e7313599
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: weather-push Version: 1.0.0 The skill is classified as suspicious due to critical vulnerabilities, specifically the use of `StrictHostKeyChecking=no` in SSH connections to `10.144.1.3` in `push.sh`, which makes it vulnerable to Man-in-the-Middle attacks. Additionally, the `parse_weather_json` function in `push.sh` embeds raw `curl` output directly into a Python script string literal (`json.loads('''$DATA''')`), creating a potential Python code injection vulnerability if the `curl` output could be manipulated. While the skill's stated purpose (weather and service status updates) appears benign, these vulnerabilities present significant security risks.
- External report
- View on VirusTotal