Back to skill
Skillv0.1.3
VirusTotal security
Gitignore Sync · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:01 AM
- Hash
- 827344da00e37c8a0aa1821c51a10d94a21c360cff7818b09b2db5944567a506
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gitignore-sync Version: 0.1.3 The skill bundle is designed to generate or update `.gitignore` files, which is a benign purpose. However, the `scripts/update_gitignore.py` script includes arguments like `--api-base` and `--rules-file` that introduce vulnerabilities. If an attacker can control these arguments (e.g., via prompt injection against the agent or direct command line manipulation), they could direct the script to fetch ignore rules from an arbitrary malicious URL or inject content from an arbitrary local file into the `.gitignore`. The `--repo` argument also allows writing the `.gitignore` file to an arbitrary directory. While these are not indicative of intentional malice, they represent significant risks due to potential for arbitrary content injection or file manipulation if the agent's input is not sufficiently sanitized.
- External report
- View on VirusTotal