Back to skill
Skillv1.0.1
VirusTotal security
Code Reputation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:51 AM
- Hash
- 742de8648e09512d28ad51069c15bbf7e247390592dd408ef11154f7e397bfb7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: code-reputation Version: 1.0.1 The skill is designed for semantic code caching via the Raysurfer API, which involves reading and writing code files locally and communicating with a remote service. It is classified as suspicious due to significant vulnerabilities in `code_cache.py`. Specifically, the `cmd_files` function writes arbitrary content received from the `raysurfer.com` API to a user-specified `--cache-dir`, which could lead to arbitrary file write and potential Remote Code Execution (RCE) if an AI agent is prompted to use a sensitive directory or if the Raysurfer service is compromised. Additionally, the `cmd_upload` function reads local files specified by the user and sends their content to `raysurfer.com`, posing a data exfiltration risk if an agent is tricked into uploading sensitive files. While these capabilities are plausible for the skill's stated purpose, the lack of robust input sanitization and path restrictions makes them high-risk.
- External report
- View on VirusTotal