Back to skill
Skillv0.1.0
VirusTotal security
Soul Pack · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:55 AM
- Hash
- 678a06e5387fe399a78e115efd428ba5efb0d7cfd819a7d6b42a63eb5be8b085
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: soul-pack Version: 0.1.0 The skill bundle is suspicious due to potential shell injection vulnerabilities in `scripts/export-soul.sh`, `scripts/import-soul.sh`, and `scripts/list-souls.sh`. While script variables are quoted, the scripts do not sanitize user-provided arguments (e.g., `--agent`, `--workspace`, `--dir`), making them vulnerable if the OpenClaw agent passes unsanitized input. Furthermore, `scripts/import-soul.sh` uses `tar -xzf` to extract packages, which is susceptible to path traversal attacks from malicious archives, potentially allowing arbitrary file writes despite the `--strip-components=1` flag. These vulnerabilities could lead to arbitrary command execution or file manipulation.
- External report
- View on VirusTotal