Back to skill
Skillv3.9.0
VirusTotal security
Hippocampus · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:13 AM
- Hash
- 44ab6b5cea509295468c9faf70242a7a6b6d3402040767e8e4115a3e51bfe30e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hippocampus Version: 3.9.0 The skill is designed for AI agent memory management, involving extensive local file I/O and internal prompt injection for self-management. However, the `scripts/generate-dashboard.sh` script contains a Local File Disclosure vulnerability. It reads the `AVATAR_PATH` from `IDENTITY.md` and, if this path is manipulated (e.g., to `/etc/passwd` or `~/.ssh/id_rsa`), it will base64 encode the content of the specified file and embed it into the locally generated `brain-dashboard.html`. This allows for potential unauthorized access to sensitive local files if the `IDENTITY.md` file can be compromised.
- External report
- View on VirusTotal