Back to skill
Skillv1.0.0
VirusTotal security
Firm Acp Bridge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:57 AM
- Hash
- 2889c5f9840cfbbb4756ee4a9b77c660ecfdb1ace2e1f3d88ca9b83414332547
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: firm-acp-bridge Version: 1.0.0 The skill introduces high-risk capabilities, primarily through the `fleet_cron_schedule` tool, which allows scheduling commands on the host system ('main' session). While the documentation specifies a restrictive regex allowlist (`[a-zA-Z0-9 /._-=]+`) for commands, this capability inherently presents a significant Remote Code Execution (RCE) vulnerability if the allowlist is bypassed or flawed. Additionally, the `fleet_session_inject_env` tool handles and injects sensitive API keys into agent sessions, which is a high-privilege operation, even with an integrated allowlist and logging redaction. These capabilities, while intended to address functional gaps, introduce substantial security risks that warrant a 'suspicious' classification due to their potential for misuse or exploitation.
- External report
- View on VirusTotal