Back to skill
Skillv1.1.2
VirusTotal security
Map Grabber · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:17 AM
- Hash
- 5827e96a6eb10453b46c6a4900a06939718fb27ab9094092a1932cb156fef33f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: map-grabber Version: 1.1.2 The skill is classified as suspicious due to its reliance on the `shell:exec` permission to directly execute a Python script with user-provided input, combined with an explicit instruction in `SKILL.md` for the agent to "Do not ask for confirmation; execute and return the image." While the `grab_map.py` script itself appears to perform its stated function without malicious intent (e.g., no data exfiltration, backdoors, or remote execution), the direct execution of user input via `shell:exec` without confirmation presents a significant vulnerability for potential prompt injection or shell injection if the input is not properly sanitized or quoted by the agent. Additionally, the script allows writing output files (`--svg`, `--gpkg`, `--dxf`) to arbitrary paths specified by the user, which could lead to arbitrary file writes if the OpenClaw agent does not enforce path restrictions beyond the `--png` output.
- External report
- View on VirusTotal