Back to skill
Skillv1.0.0
VirusTotal security
Codespace Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 4:30 AM
- Hash
- 7f9e93613b9ea69d33700d6675550e0888270b1a88c16844439577ea8c6915a3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: codespace-manager Version: 1.0.0 The skill is classified as suspicious due to a critical path traversal vulnerability in `scripts/codespace.sh`. The `name` parameter, which is user-controlled, is used directly in path constructions (e.g., `mkdir -p "$CODESPACE_BASE/$name"`, `rm -rf "$workspace"`), allowing an attacker to use `../` to create or delete arbitrary directories on the host system. Additionally, `assets/Dockerfile.txt` uses `curl | bash` for installing several tools (Bun, uv, OpenCode) from external domains (bun.sh, astral.sh, opencode.ai), posing a significant supply chain risk if any of these sources were compromised. While the skill's stated purpose is legitimate, these vulnerabilities introduce substantial security risks to the host system.
- External report
- View on VirusTotal