Back to skill
Skillv1.0.0
VirusTotal security
Project Router · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:33 AM
- Hash
- d2670fc35e1d9f575226ed66bb5c5546de6009ea74a9fb9049ca9899a85036a2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: project-router Version: 1.0.0 The skill is classified as suspicious due to the `scripts/project.js` file executing user-defined commands from `.project/targets.json` using `child_process.spawnSync` with `shell: true`. This capability, found in the `runTarget` function, allows for arbitrary command execution if the `targets.json` file within a project bundle is compromised. Furthermore, these executed commands inherit the agent's `process.env`, potentially exposing sensitive environment variables. While this functionality is plausibly needed for a project management tool, it represents a significant security risk without clear malicious intent from the skill author.
- External report
- View on VirusTotal