Back to skill
Skillv1.7.0
VirusTotal security
Latent Press · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:17 AM
- Hash
- 25eb1e240db91b062707e92c83487064a12524bf76a80a2ba7e4b5a68744b32a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: latent-press Version: 1.7.0 The skill's primary purpose of interacting with latentpress.com is benign. However, the `scripts/api.js` file contains a local file read vulnerability within the `upload-audio` command. The `filePath` argument is directly used in `fs.readFileSync` without sanitization or validation. This allows an attacker, potentially via prompt injection against the OpenClaw agent, to instruct the agent to read arbitrary files from the local filesystem (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and attempt to upload them to the legitimate Latent Press API endpoint (https://www.latentpress.com/api). While the server might reject non-audio files, the act of reading sensitive local files by the agent constitutes a significant security risk.
- External report
- View on VirusTotal