Back to skill
Skillv1.0.1
VirusTotal security
Simulated Roadtrip · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 27, 2026, 4:28 AM
- Hash
- 459e96ddadfd4db90fef7e1c33d936d69925a7883791fcdb22da999bd42eb6c2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: simulated-roadtrip Version: 1.0.1 The skill is designed to interact with the `turai.org` API to generate road trip data. The `SKILL.md` provides clear instructions and does not contain prompt injection attempts. However, the `scripts/roadtrip.mjs` file has a potential path traversal vulnerability. The `--output <path>` argument uses `node:path.resolve` to determine the output file path, which could allow a malicious user or an agent manipulated by prompt injection to write the trip data JSON to arbitrary locations on the filesystem (e.g., `../../../../tmp/evil.json`), potentially overwriting sensitive files or writing to unauthorized directories. While the intent is to save output, this capability can be misused, making it suspicious.
- External report
- View on VirusTotal