Back to skill
Skillv1.2.0
VirusTotal security
RLM Controller · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 29, 2026, 3:43 AM
- Hash
- ec913a358ffea64dc96aa0d7a928714b432d2bb66e93e4b992d7bcc31b204d76
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: rlm-controller Version: 1.2.0 The skill bundle demonstrates a strong security-first design with multiple layers of defense. Key indicators include robust path validation (`rlm_path.py`) to prevent directory traversal and ensure containment, comprehensive secret redaction (`rlm_redact.py`) for subcall prompts, and strict safelisting of allowed actions and tools (`rlm_async_spawn.py`, `rlm_emit_toolcalls.py`) to prevent arbitrary code execution or tool misuse. All scripts use explicit command arrays for `subprocess` calls, avoiding shell injection. Resource limits are enforced on slices, subcalls, and regex operations (ReDoS protection in `rlm_ctx.py`). The documentation, including a detailed `docs/security_audit_response.md`, transparently discusses design trade-offs like autonomous invocation and outlines specific code-level mitigations implemented. While the `cleanup.sh` script lacks the `rlm_path.py` validation for its environment variables, its scope is confined to designated scratch directories, and the overall design prevents it from being exploited for malicious purposes.
- External report
- View on VirusTotal