Back to skill
Skillv1.0.0
VirusTotal security
Code Assistant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:45 AM
- Hash
- b7838ec209b7c1e34cf583f4e98658c22aa36b076b967889c902ea38eb7207d6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: code-assistant Version: 1.0.0 The skill is designed as a code assistant, requiring file system access for its stated purpose. However, the `scripts/analyzer.ts` directly uses user-provided file and directory paths from `process.argv` without any input sanitization. This creates a Local File Inclusion/Disclosure (LFI/LFD) vulnerability, allowing an attacker to potentially read arbitrary files (e.g., `../../../../etc/passwd`) on the system by manipulating the `target` argument passed to the `code` command. While this is a critical security flaw, the script does not contain explicit code for data exfiltration, installing backdoors, or other actions indicative of intentional malice; it merely reads and attempts to 'analyze' the content.
- External report
- View on VirusTotal