Back to skill
Skillv1.0.0
VirusTotal security
Lsp28 Grid · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:18 AM
- Hash
- 2f7dda5ce6ce2d6e5e05aa6615ddd8799b1b57b694120924e14ababe8c17a737
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lsp28-grid Version: 1.0.0 The skill is classified as suspicious due to a Local File Inclusion (LFI) vulnerability in `scripts/update-grid.js`. The script uses `fs.readFileSync` to load grid data from a user-specified file path (`--file <grid.json>`), which could allow an attacker (via prompt injection against the agent or social engineering) to read arbitrary files on the system. While there is no explicit code to exfiltrate the read data, the capability to access local files is a significant security risk. Additionally, the skill handles sensitive environment variables like `UP_PRIVATE_KEY` for blockchain transactions, and the LSP28 standard allows embedding arbitrary `iframe` and `external` URLs, which could be misused if malicious inputs are provided.
- External report
- View on VirusTotal