Back to skill
Skillv1.0.0
VirusTotal security
skill_install · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:35 AM
- Hash
- 2ec078e9d501e77aef1f73b50806c319039b491805988dd812b2d4de9a5964bf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skillinstall Version: 1.0.0 The skill installer is designed to manage OpenClaw skills, performing file system operations and executing system commands. It is classified as 'suspicious' due to a critical ZIP Slip vulnerability in `scripts/skill_install.py` where `zipfile.ZipFile.extractall()` is used without path sanitization. This flaw could allow a malicious ZIP file to write arbitrary files outside the intended temporary directory, potentially leading to remote code execution or system compromise if the script is run with sufficient privileges. While this is a severe vulnerability, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoor installation) designed by the skill itself, aligning it with the 'suspicious' rather than 'malicious' classification as per the provided guidelines.
- External report
- View on VirusTotal