Back to skill
Skillv1.0.1
VirusTotal security
Skill Health · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:38 AM
- Hash
- 4993b568d1d19230925efd7192006afd22f5f044624ffa258e671b096b158b19
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-health Version: 1.0.1 The skill is classified as suspicious due to path traversal vulnerabilities in all `scripts/run_*.py` files. Specifically, the `--output-dir` argument allows writing generated JSON reports to arbitrary file system paths, potentially leading to unauthorized file creation or overwrites (e.g., `/etc/passwd`, `~/.ssh/authorized_keys`). Similarly, the `--data-path` and `--data-dir` arguments allow reading CSV data from arbitrary file system paths, enabling an attacker to instruct the agent to read sensitive files (e.g., `/etc/shadow`) even if they fail to parse as valid health data CSVs. These are critical vulnerabilities that could be exploited by prompt injection against the agent, but there is no evidence of intentional malicious behavior within the code itself.
- External report
- View on VirusTotal