Back to skill
Skillv1.0.1
VirusTotal security
TODO Web App · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:43 AM
- Hash
- 38af7d0cf51abacfb2c750404b765492a49b782277683210585db0b8828a0d45
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: todo-webapp Version: 1.0.1 The skill deploys a Node.js web server (scripts/server.js) that manages local Markdown files and establishes persistence via a macOS launchd agent. While the functionality matches the description, the server contains a Stored XSS vulnerability because it renders TODO item text directly into the HTML without sanitization. Furthermore, the server listens on all network interfaces (0.0.0.0) without authentication or CSRF protection, potentially allowing any device on the local network to read or modify the user's TODO files.
- External report
- View on VirusTotal