Back to skill
Skillv1.2.0
VirusTotal security
Didit Liveness Detection · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:57 AM
- Hash
- c3856f7e68f2bc0ddd78deeffe981967741f22d5ad434d1bfd4e72fb18bfe07b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: didit-liveness-detection Version: 1.2.0 The skill bundle's `SKILL.md` and `scripts/check_liveness.py` are designed to interact with the Didit Liveness API, which aligns with its stated purpose. However, the `scripts/check_liveness.py` script directly uses the `user_image` argument in `open()` without explicit path validation. If the OpenClaw agent allows an attacker to provide an arbitrary file path (e.g., `../../../../etc/passwd`) for `user_image`, the script would attempt to read that file and send its content to the legitimate Didit API endpoint (https://verification.didit.me). While this is a vulnerability (Local File Inclusion/Disclosure risk) rather than intentional malicious exfiltration to an attacker-controlled server, it represents a significant security flaw that makes the skill suspicious.
- External report
- View on VirusTotal