Back to skill
Skillv0.1.0
VirusTotal security
Zerox · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:56 AM
- Hash
- b9cddba9a16a530cd50f41caf375a84a343bb6a002e577ba21e80d37dec61e00
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: zerox Version: 0.1.0 The skill is classified as suspicious due to significant vulnerabilities. The `scripts/convert-bg.mjs` script is vulnerable to shell injection via `osascript` on macOS, as the `filePath` argument is unsanitized when used to construct notification messages, potentially allowing arbitrary command execution. Additionally, both `scripts/convert.mjs` and `scripts/convert-bg.mjs` are vulnerable to arbitrary file writes/path traversal, as the `outputPath` argument is directly used to write files without proper validation, allowing an attacker to specify locations outside the intended output directory. The skill also accesses `~/.openclaw/.env` to retrieve an API key, which, while intended and documented, highlights its ability to read user configuration files.
- External report
- View on VirusTotal