Back to skill
Skillv1.1.0
VirusTotal security
archive-extractor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:48 AM
- Hash
- 392d27d0e3b07d42fbee624aae97492d203507fd9ff1edc8d015d3f1ef5bbcf0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: archive-extractor Version: 1.1.0 The skill provides recursive archive extraction but includes high-risk behaviors such as automatically installing Python packages ('rarfile', 'py7zr') via 'pip' using 'subprocess.check_call' in 'scripts/extract.py'. While these capabilities are plausibly needed for the stated purpose of 'zero local-software dependency', they represent a significant attack surface. Additionally, while the script implements 'tarfile.data_filter' for security on newer Python versions, it uses standard 'extractall()' for ZIP and other formats, which remains vulnerable to path traversal (Zip Slip) attacks if processing untrusted archives.
- External report
- View on VirusTotal