Back to skill
Skillv1.0.1
VirusTotal security
datapilot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:25 AM
- Hash
- 6e05f6e9a6b9641ef36ec349066b2ff41ad58ee4d80e01f4327d56acec9caab3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oceanbase-datapilot Version: 1.0.1 The skill bundle contains significant security vulnerabilities in 'dataagent_openapi_cli.mjs' that could be exploited. Specifically, the script logs the raw 'DATAPILOT_API_KEY' to a local file ('dataagent_cli.log') within the 'getAuthHeaders' function, despite having sanitization logic elsewhere. Furthermore, the 'create-instance' command facilitates arbitrary file reading and uploading via the '--sqlite-file' argument without path validation, potentially allowing an attacker to exfiltrate sensitive system files if the AI agent is manipulated. While these appear to be unintentional design flaws rather than intentional malware, they pose a high risk.
- External report
- View on VirusTotal