Back to skill
Skillv1.2.0
VirusTotal security
Vta Memory · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:14 AM
- Hash
- efdd539e1627f8ec6993f09432f9200ce17b002fc3e51714beff0b29ff444eab
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vta-memory Version: 1.2.0 The skill bundle contains several vulnerabilities that could be exploited by a malicious actor. The `generate-dashboard.sh` script is vulnerable to Cross-Site Scripting (XSS) as it directly injects user-controlled data (e.g., agent name from `IDENTITY.md`, memory summaries, emotion triggers, reward sources from JSON state files) into the generated HTML without proper escaping. Additionally, the `sync-motivation.sh` script creates `VTA_STATE.md` by directly embedding user-controlled content (from `seeking`, `anticipating`, and `recentRewards.source` fields in `reward-state.json`) which, when auto-injected into agent sessions, presents a prompt injection vulnerability. Finally, the `prompts/encode-rewards.md` instructs the agent to construct and execute shell commands with arguments derived from conversation analysis, posing a risk of arbitrary command execution if the agent can be tricked into generating malicious arguments via prompt injection. These are vulnerabilities, not evidence of intentional malicious behavior by the skill itself.
- External report
- View on VirusTotal