Back to skill
Skillv1.0.0
VirusTotal security
Code Review · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:35 AM
- Hash
- 0bb08fc251afdc39ec6ca4f398f2b512a669f13010310f99ba21b18fd46bcba2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: quack-code-review Version: 1.0.0 The skill is suspicious due to a Local File Inclusion (LFI) vulnerability in `scripts/analyze.mjs`. The script accepts a `--file` argument, which is directly used in `readFileSync` without sanitization, allowing an attacker (via prompt injection to the agent or direct execution) to read arbitrary local files. The content of these files is then exfiltrated by being sent to the external `https://logic.art/api/agent/analyze` endpoint, posing a significant data exfiltration risk. While the stated purpose is code analysis, the lack of input validation turns a legitimate function into a critical vulnerability.
- External report
- View on VirusTotal