Back to skill
Skillv1.0.0
VirusTotal security
feishui-file-sender · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:38 AM
- Hash
- ddba66fbeefae5bc1d8aca3caf3a11b02282c611c2bbe1836a9f877cf39b58ad
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: feishui-file-sender Version: 1.0.0 The `SKILL.md` file instructs the AI agent to `cd` into `/root/.openclaw/workspace/skills` and use the `zip` command to package directories. The skill then uses the `message` tool with a `filePath` parameter that accepts absolute paths. This combination, while intended for sending other skills, creates a significant prompt injection vulnerability. An attacker could potentially instruct the agent to zip and exfiltrate arbitrary sensitive files or directories (e.g., `/etc`, `~/.ssh`, or other skill data) by manipulating the `zip` command's target or the `filePath` parameter. This grants a high-risk capability that could be abused, but the provided files do not show explicit malicious intent to self-exploit or exfiltrate unrelated data.
- External report
- View on VirusTotal