Back to skill
Skillv0.2.1
VirusTotal security
hum · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 12, 2026, 11:26 AM
- Hash
- ed3b80bb301b9e749706548ec4284d6041a25f4c9ab0bea3d0075458fa897a9e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hum-writer Version: 0.2.1 The skill is a social media automation tool that handles sensitive session tokens (X and LinkedIn) and includes a local dashboard server (scripts/dashboard/serve.py) containing multiple path traversal vulnerabilities. Specifically, the API endpoints for reading content, loop logs, and knowledge articles (e.g., in _read_content and _read_loop_file) do not sanitize input filenames, allowing an attacker to read arbitrary files on the host system by providing paths like '../../etc/passwd'. Additionally, the skill relies on vendored Node.js scripts (scripts/lib/vendor/bird-search/) to interact with X's internal GraphQL API using the user's session cookies (AUTH_TOKEN and CT0), which is a high-risk capability.
- External report
- View on VirusTotal