Back to skill
Skillv1.0.0
VirusTotal security
Novel Character Profile Builder · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:53 AM
- Hash
- 739377ef33502faf9708ccaf273b22bc3f79b8cc4ac888c52b71dddefb4344e7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: character-profile-cn Version: 1.0.0 The skill bundle contains critical Remote Code Execution (RCE) vulnerabilities due to the use of `eval()` on externally configurable strings. Specifically, `scripts/conflict_detector.py` evaluates `rule.condition` from `config/validation_rules.json`, and `scripts/subagent_orchestrator.py` evaluates `condition` from `config/workflow_tasks.json`. An attacker able to modify these configuration files could execute arbitrary Python code. Additionally, `subagent_orchestrator.py` dynamically loads modules and classes based on `config/workflow_tasks.json`, further increasing the attack surface. While these are severe vulnerabilities, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, persistence) within the provided code, aligning with the 'suspicious' classification for vulnerabilities.
- External report
- View on VirusTotal