Back to skill
Skillv1.0.0
VirusTotal security
TPM Copilot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:30 AM
- Hash
- 323344d20c6e206100c52da61bcd3c80b814d36d431a0a28efa71a545be42866
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tpm-copilot Version: 1.0.0 The skill is classified as suspicious due to critical vulnerabilities that could lead to remote code execution (RCE) and arbitrary file system manipulation. Specifically, `scripts/add-program.sh` is vulnerable to path traversal and command injection via the `--name` argument, allowing an attacker to create files/directories outside the intended workspace or execute arbitrary commands. Furthermore, `scripts/risk-radar.sh` and `scripts/status-report.sh` execute `gh` CLI commands using `subprocess.run` where the `--repo` argument is sourced from `programs/<name>/config.json`. If an attacker can manipulate this configuration file (potentially by exploiting the `add-program.sh` vulnerability), they could inject shell commands into the `repo` field, leading to RCE. The skill also handles sensitive API keys (Jira, Linear, GitHub, Slack, Resend), making it a high-value target if these vulnerabilities are exploited.
- External report
- View on VirusTotal