Back to skill
Skillv0.1.0
VirusTotal security
Earl Display Control · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:01 AM
- Hash
- 1461f4f983b1a5933cd1aaad4378aa36beaddc176dd9d626cb076f6f8c99bea5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: earl-display-control Version: 0.1.0 The skill is classified as suspicious due to several risky capabilities and vulnerabilities. The `earl_api.py` file's `set_photo` method accepts an unsanitized `url` parameter, which is then rendered by `VisuoSpatialSketchpad/sketchpad.html`. This creates a client-side vulnerability (e.g., XSS via `javascript:` URLs or local file disclosure via `file://` URLs) if a malicious agent prompt or compromised `earl_mind.json` provides such input. Additionally, `SKILL.md` instructs the agent to execute powerful shell commands like `lsof -ti:8000 | xargs kill -9` for process termination, which, while intended for troubleshooting, grants significant system access. The `VisuoSpatialSketchpad/update_weather_ping.py` script also performs an outbound network request to `api.open-meteo.com`, using parameters read from `earl_mind.json`, which could be manipulated if the JSON file is compromised, though the base domain is fixed.
- External report
- View on VirusTotal