Back to skill
Skillv1.0.0
VirusTotal security
Agent Core Extractor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:38 AM
- Hash
- 8801cf5e0e1541f40023c708691116a16a04ad5fdc02b7c45993f40b44dc73e5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-core-extractor Version: 1.0.0 The skill includes a bash script (`scripts/export-agent-core-pack.sh`) that exhibits a path traversal vulnerability because it fails to sanitize the `--repos` input before constructing file paths. While the script's stated purpose is to package agent configuration files, it targets potentially sensitive files like `.claude/settings.json` and various framework-specific configuration files across the user's filesystem (defaulting to `~/Documents/GitHub`). Although no evidence of intentional data exfiltration or malicious backdoors was found, the combination of broad file access and the lack of input validation on shell-executed paths meets the criteria for a suspicious classification.
- External report
- View on VirusTotal