Back to skill
Skillv1.0.0
VirusTotal security
black-box · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:18 AM
- Hash
- 6928408a1a0a935f3116f341e303b6807999d307814e3cef93744dbbe9a80563
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: black-box Version: 1.0.0 The skill is classified as suspicious due to a critical security vulnerability in `run.py`. Despite a comment stating 'Security Fix: Use standard SSL', the `pymysql.connect` calls do not explicitly enable or enforce SSL/TLS, meaning database credentials and sensitive log data could be transmitted in plaintext or without proper encryption, making it vulnerable to eavesdropping. Additionally, the database connection string (DSN), which may contain credentials, is cached in a plain text file `~/.openclaw_black_box_dsn`, posing a risk if the local system is compromised. While the skill's stated purpose is legitimate logging and it uses safe practices like parameterized queries, the lack of secure transport for database connections is a significant flaw.
- External report
- View on VirusTotal