Back to skill
Skillv0.2.0
VirusTotal security
Clawpet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 11:31 AM
- Hash
- c3da29101dabe1d1f47b22fb855bbfb5a2d60a2b12c0a1ccc28cd18e7124af25
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tamapet Version: 0.2.0 The skill implements a virtual pet game with Telegram integration but contains several security vulnerabilities. Specifically, the Python backend (`server.py`) is susceptible to path traversal attacks because it fails to sanitize the `userId` parameter before using it in `os.path.join` to access the filesystem (e.g., in `load_pet` and the `/card/` endpoint). Additionally, the server lacks HMAC validation for Telegram's `initData`, which is a critical security flaw that allows for identity spoofing. While these appear to be unintentional programming errors rather than intentional malware, they represent a significant attack surface.
- External report
- View on VirusTotal