Back to skill
Skillv1.0.4
VirusTotal security
EPAI · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:28 AM
- Hash
- 43622db8fb78ccdc0e15ba78930eb3b656e8b6e0b4e593353bcb32ee09fcbde7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: epaiskill Version: 1.0.4 The skill is classified as suspicious due to a potential path traversal vulnerability in `scripts/epaiclt.py`. The `document_upload` function directly uses user-provided file paths (from the `--file` argument) with `os.path.exists` and `open(f, 'rb')`. While the `SKILL.md` declares `file-read` permission for document uploads, this direct usage without input sanitization could allow an attacker to instruct the AI agent (via prompt injection) to read arbitrary files from the host system (e.g., `/etc/passwd`) if the agent does not sanitize the file paths before passing them to the script. The script then attempts to upload these files to the configured `EPAI_API_BASE`, which could become an exfiltration vector if the API endpoint is compromised or controlled by an attacker, although the skill itself does not redirect to a malicious endpoint.
- External report
- View on VirusTotal