Back to skill
Skillv0.2.3
VirusTotal security
macos-suite · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:58 AM
- Hash
- c8e8a8b6ff8e6461ef9ff0db36fe304fa8978a27444519943fb0ef846f728125
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: macos-suite Version: 0.2.3 The skill is designed for macOS automation, which inherently involves powerful capabilities. It implements good security practices like requiring explicit confirmation (`confirm=YES`) for all modifying actions and a domain allowlist for network requests. However, it contains path traversal vulnerabilities in `scripts/main.py`. Specifically, the `file` argument in `freeform.compose` and the `attachments` argument in `mail.send` use `os.path.expanduser` on user-provided input without further sanitization, allowing an attacker to attempt to read arbitrary files (e.g., `../../../../etc/passwd`) or potentially attach them to emails, respectively. While there is no clear evidence of intentional malicious behavior (like exfiltration or backdoors), these flaws allow for information disclosure or unintended file handling if exploited.
- External report
- View on VirusTotal