Back to skill
Skillv1.4.1
VirusTotal security
Sun Path & Environmental Analysis · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- ea693028b758e3a8803c8a9afefb4314d73cc1b7f237bb0e2543027984fb8ef5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sun-path Version: 1.4.1 The skill is classified as suspicious due to the `shell:exec` permission and the agent instructions in `SKILL.md` that direct the agent to execute Python scripts with user-controlled arguments. While the scripts themselves appear to perform their stated functions (solar calculations, plotting), the direct execution of `python3 scripts/*.py` with user-provided `--output` paths (e.g., `/tmp/shadow.png`) creates a potential path for shell injection if the agent were to pass unsanitized user input directly to the shell command. The `PUBLISH.md` file also contains `rsync` and `npm` commands, which, while part of a deployment process, highlight the broad shell access available. There is no clear evidence of intentional malicious behavior like data exfiltration or persistence, but the combination of `shell:exec` and user-controlled arguments represents a significant vulnerability.
- External report
- View on VirusTotal