Back to skill
Skillv1.0.0
VirusTotal security
Proprioception · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:50 AM
- Hash
- 3fc370d8af6be65161bf27b89acd1d5d73eabe3e81659bf19dcab35c9e1bbbeb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: proprioception Version: 1.0.0 The skill's core logic, implemented in the Node.js scripts, is benign, performing local text analysis without external network calls or sensitive file access. However, the `SKILL.md` file contains an instruction for the OpenClaw agent to execute a shell command (`node "$(dirname "$SKILL_PATH")/scripts/proprioception-engine.js" --root-intent "$ROOT_INTENT" --current-response "$CURRENT_RESPONSE" ...`). This command directly interpolates agent-provided variables (`$ROOT_INTENT`, `$CURRENT_RESPONSE`, `$PRIOR_SIGNALS_JSON`) into the shell. If the OpenClaw agent platform does not properly sanitize or escape these variables before execution, a malicious user could craft inputs to achieve shell injection, leading to Remote Code Execution. This constitutes a significant vulnerability, classifying the skill as suspicious.
- External report
- View on VirusTotal