Back to skill
Skillv1.0.1
VirusTotal security
技能商店客户端 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:26 AM
- Hash
- 6d55256f3473d3c5274434be160a86bf821fdbe63b72d45a98c445824f0615f2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-shop Version: 1.0.1 The skill bundle functions as a 'Skill Shop' client that downloads, extracts, and installs executable code from a local server (127.0.0.1:8080) into a sensitive system directory (/root/.openclaw/workspace/skills/). It is highly vulnerable to path traversal attacks (ZipSlip) because main.py lacks sanitization when extracting ZIP/TAR archives, and it automatically grants execution permissions (chmod 755) to downloaded scripts without any signature verification or integrity checks. While these represent critical security flaws that could lead to arbitrary code execution, there is no clear evidence of intentional malice or data exfiltration.
- External report
- View on VirusTotal