Back to skill
Skillv1.0.0
VirusTotal security
project-assistant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:49 AM
- Hash
- bfad419e41a158621ca3ac80df97078dd57e5f3e7e6117f23929e1a909babb2c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: project-assistant Version: 1.0.0 The bundle is a highly capable project analysis tool that includes several high-risk 'dual-use' features. Specifically, 'scripts/analyzers/env_scanner.py' is designed to scan the entire project for sensitive secrets, including OpenAI API keys, AWS credentials, and private keys, while 'scripts/analyzers/ipc_analyzer.py' maps out system-level communication interfaces. While these are framed as developer aids, they facilitate the aggregation of sensitive data. Additionally, multiple parsers (e.g., 'manifest_parser.py' and 'maven_parser.py') utilize the 'xml.etree.ElementTree' library, which is inherently vulnerable to XML External Entity (XXE) attacks. No evidence of intentional data exfiltration was found, but the combination of secret harvesting and vulnerable parsing logic warrants a suspicious classification.
- External report
- View on VirusTotal