Back to skill
Skillv1.7.0
VirusTotal security
My Fitness Claw · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:10 AM
- Hash
- b67ef9ca76c05747374eed06f869ede10711c55cd2dfaa19957b25d494ca2458
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: my-fitness-claw Version: 1.7.0 The skill's core functionality for nutrition tracking appears benign. However, the `SKILL.md` file contains a prompt injection instruction under 'Workflow: Logging Food' (Step 6) that tells the agent (or implicitly, the user) to `Run python -m http.server 8000 from the workspace root`. This instruction, if executed, leads to arbitrary command execution and exposes the entire OpenClaw workspace via a local web server, posing a significant information disclosure risk. While the stated purpose is for convenient offline dashboard access, this method is a severe vulnerability due to its broad scope and potential for misuse, classifying the skill as suspicious rather than benign.
- External report
- View on VirusTotal