Back to skill
Skillv1.0.0
VirusTotal security
Forge 🔨 Repair-Inspect Loop · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:57 AM
- Hash
- 3c516d21cc6bc2a4424f4e9c20a75636c6680c1544b1154cf8db717e5ab9d103
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: forge-loop Version: 1.0.0 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability found in `scripts/forge.py`. The `check_doc_sync` function dynamically executes `scripts/tools/doc-sync-checker.py` if it exists within the project's work directory. This allows a malicious project owner to place arbitrary code in this file, which would then be executed by the OpenClaw agent running the Forge skill. While the skill's prompts for sub-agents include safety guardrails, this direct execution of untrusted project-supplied code constitutes a significant vulnerability, enabling potential self-exploitation of the agent.
- External report
- View on VirusTotal