Back to skill
Skillv1.0.6
VirusTotal security
hotbutter voice chat · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:36 AM
- Hash
- fb8e52ed511d9f67fc43fa2c5aaf453af6dcdbc93e4d8ffe675f9406fe059952
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hotbutter Version: 1.0.6 The skill is classified as suspicious primarily due to the potential for Remote Code Execution (RCE) via the `openclaw` binary. The `bin/voice-bridge.js` and `lib/agent-bridge.js` files execute `openclaw agent -m <text>` where `<text>` is user-controlled input received from the `hotbutter.ai` relay. Although `child_process.execFile` is used (which mitigates some shell injection risks), it does not prevent command injection if the `openclaw` binary itself is vulnerable to interpreting its `-m` argument as a command. Additionally, the skill explicitly relays all voice transcripts and agent responses through `wss://hotbutter.ai`, as stated in `SKILL.md` and `package.json`, which, while transparently declared, presents a significant privacy concern, especially given the warning that sensitive agent output will be transmitted.
- External report
- View on VirusTotal