metabot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: metabot-basic Version: 1.0.0 The skill is classified as suspicious due to multiple Local File Disclosure/Inclusion (LFD/LFI) vulnerabilities. Specifically, `scripts/avatar.ts` (used by `scripts/create_agents.ts` and `scripts/create_avatar.ts`) allows reading arbitrary files via a user-controlled `filePath` parameter passed to `loadAvatarFromFilePath`, which uses `path.resolve` and `fs.readFileSync`. Similarly, `scripts/send_buzz.ts` allows reading arbitrary file content if the buzz message starts with `@` followed by a user-controlled `filePath`. These vulnerabilities could be exploited by an attacker to read sensitive files (e.g., credentials, private keys) from the agent's host system. Additionally, the skill handles highly sensitive data like mnemonics and LLM API keys, storing them in `account.json` at the project root, and `SKILL.md` instructs the AI agent to execute commands based on user input, which is a general prompt injection surface, though the LFD/LFI are more concrete vulnerabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If account.json is exposed or modified by another local process/skill, someone could use the MetaBot wallet identity, spend associated funds/fees, or reuse copied API credentials.
The skill persists wallet mnemonics and an environment-derived LLM API key into the account file. These credentials can authorize blockchain identity/fund actions or provider API use, and the artifacts do not show encryption or access isolation.
const newAccount: Account = { mnemonic, ... llm: [{ provider: llmFromEnv.provider, apiKey: llmFromEnv.apiKey, ... }] } ... accountData.accountList.unshift(newAccount) ... writeAccountFile(accountData)Use a new low-value wallet, protect and back up account.json securely, avoid storing real provider API keys unless necessary, and prefer encrypted or permission-restricted credential storage.
A Buzz may be posted publicly from the wrong MetaBot identity and incur blockchain fees; on-chain posts are difficult or impossible to undo.
When Buzz content is parsed, the script signs and broadcasts using the selected account, falling back to the first account when no match is found. There is no in-script review step for the exact account, content, fee, or network before broadcasting.
if (!currentAccount) { currentAccount = accountData.accountList[0] } ... if (buzzContent) { ... const buzzResult = await createBuzz(currentAccount.mnemonic, buzzContent, 1, ...) }Require exact account selection and an explicit final confirmation showing account, network, message content, and estimated fee before any broadcast.
Future commands could use the wrong MetaBot account or credentials if the shared state file is changed by another skill, user, or process.
A persistent shared account file controls future identity selection, including a default-first-account fallback. Stale, tampered, or unexpectedly reordered state could steer later signing and posting actions.
account.json:位于项目根目录(与后续 metabot-basic 系列技能共用)... 账户选择:新建时新账户 unshift 到 accountList;已有则按用户名/地址匹配,无匹配用 accountList[0]。
Keep account.json under user control, validate account identity before each action, avoid partial/default matching for high-impact actions, and consider per-skill or per-user scoped state.
Dependency behavior could change between installs, which matters for software that handles wallet keys and signs transactions.
Several npm dependencies use floating semver ranges, and the supplied manifest does not include a lockfile. This is common, but installs may resolve different package code over time.
"dependencies": { "bip32": "^4.0.0", ... "sharp": "^0.33.0" }, "devDependencies": { "typescript": "^5.0.0", "ts-node": "^10.9.0" }Install in an isolated environment, review generated lockfiles, and prefer pinned dependency versions for wallet-related tooling.