Back to skill
Skillv1.1.2
VirusTotal security
Kazakhstan tax assistant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:39 AM
- Hash
- 16bb6b740ab62290221c2404203b25d87e30a9e5fee73b993644c1eaf097f5a7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kz-tax-code Version: 1.1.2 The skill bundle contains scripts (fetch.js, update.js, and _shared.mjs) that explicitly allow disabling TLS certificate verification by setting 'NODE_TLS_REJECT_UNAUTHORIZED' to '0' when the '--insecure' flag is used. While the documentation in SKILL.md justifies this as a workaround for the Kazakhstan government's (adilet.zan.kz) non-standard CA, it introduces a significant risk of Man-in-the-Middle (MITM) attacks. Additionally, the scripts accept arbitrary file paths for reading and writing via CLI arguments, which could be exploited for path traversal or unauthorized file access if the AI agent is targeted by prompt injection. No evidence of intentional malice or data exfiltration was found, but the architectural choices create a high-risk environment.
- External report
- View on VirusTotal