Back to skill
Skillv1.0.0
VirusTotal security
Create Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:04 AM
- Hash
- c6ce7aa5f78d0def8586696c6dd967d2806803bf5450b08f3a3161dceca51860
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: create-skill Version: 1.0.0 The skill bundle is classified as suspicious due to a critical Zip Slip vulnerability found in `scripts/easyclaw_unzip_skill.py`. This script, which the `SKILL.md` explicitly instructs the agent to use for extracting skill packages, uses `zipfile.extractall` and custom extraction logic without adequate sanitization of archive member paths, potentially allowing an attacker to write files to arbitrary locations on the file system by providing a specially crafted zip file. While the overall purpose of the skill (managing other skills) is legitimate, this vulnerability poses a significant security risk.
- External report
- View on VirusTotal