Back to skill
Skillv1.0.0
VirusTotal security
Tibber Energy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 10:26 AM
- Hash
- 3ea512e905e246a1a4a6ed914fe875ceab42823e544b04cd6fda63a6b3e4dd5f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tibber-energy Version: 1.0.0 The skill includes a 'control' command in `tibber_energy.py` that executes arbitrary shell commands via `subprocess.run(shell=True)` based on energy price thresholds. While documented as a feature for smart-home automation (e.g., triggering Home Assistant), this provides a direct path for Remote Code Execution (RCE) if the AI agent is manipulated into supplying malicious command strings. Additionally, the GraphQL queries in `tibber_energy.py` unnecessarily fetch sensitive user PII (email and mobile number) from the Tibber API, which is a privacy risk even if not currently exfiltrated.
- External report
- View on VirusTotal