Back to skill
Skillv1.0.1
VirusTotal security
Wip X · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:19 AM
- Hash
- c9030b8c63f1a4d79410576034ebd494ee938ce883c71101eee5b5ef9dcd1113
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wip-x Version: 1.0.1 The skill is suspicious due to a Local File Inclusion (LFI) vulnerability in the `upload_media` function, exposed via both `cli.mjs` and `mcp-server.mjs`. The `core.mjs` implementation uses `readFileSync(file_path)` directly with user-controlled input, allowing an attacker or a compromised agent to read arbitrary files on the system. The content of these files is then base64 encoded and sent to the X Platform API, creating a data exfiltration vector. While the `execSync` call in `auth.mjs` for 1Password integration uses a risky function, it appears to be used in a controlled manner for a legitimate purpose and is not the primary concern. The prompt injection in `README.md` is benign and aims to guide the agent's explanation of the tool.
- External report
- View on VirusTotal