Skillv1.0.0

VirusTotal security

agent-father · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 29, 2026, 4:58 AM

Hash: 13e74a4cbc359e3f31c92d5b7cbbaa8c9a6783bdcd9a8a377f8de1b3f1d30d64
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: agent-father Version: 1.0.0 The skill bundle contains critical vulnerabilities due to insufficient input sanitization across multiple scripts. Specifically, `scripts/delete-agent.sh` is vulnerable to path traversal and arbitrary file deletion via `rm -rf "$AGENT_DIR"` if `AGENT_ID` contains `../` sequences, and both `scripts/delete-agent.sh` and `scripts/create-employee.sh` are vulnerable to Node.js script injection (leading to RCE) when user-controlled variables (e.g., `AGENT_ID`, `AGENT_NAME`) are directly interpolated into `node -e` commands without proper escaping. Additionally, `scripts/create-employee.sh` is vulnerable to shell injection when passing unsanitized `AGENT_NAME` to `openclaw` commands, and `scripts/create-feishu-chat.sh` is vulnerable to JSON injection when constructing `curl` payloads. These flaws allow for severe attacks if user input is malicious, but there is no evidence of intentional harmful behavior (e.g., data exfiltration, backdoors) by the skill itself.
External report: View on VirusTotal