Back to skill
Skillv1.0.0
VirusTotal security
Vestaboard · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:17 AM
- Hash
- 5f2d3101246f21c55bd42805ac76ab4b8e4842c849ef00023a4945aab3d8e057
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vestaboard Version: 1.0.0 The skill is suspicious due to a risky capability in `scripts/vb.js`. The `vbWriteLayout` function reads a file path directly from command-line arguments using `readFileSync`. While intended for Vestaboard layout files, this allows an AI agent (if compromised via prompt injection) to be instructed to read arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and attempt to send their content to the Vestaboard API endpoint (cloud.vestaboard.com). This presents a potential data exfiltration vector, even though the skill itself does not exhibit clear malicious intent.
- External report
- View on VirusTotal