Back to skill
Skillv1.0.0
VirusTotal security
Card Benefits Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:40 AM
- Hash
- 604ca5f58c65c63bce5c998afc8319a583962f780c1ac8bb2a81f2166681961d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: card-benefits-tracker Version: 1.0.0 The skill is classified as suspicious primarily due to a critical design flaw and vulnerability: the `generate_report.py` script directly reads `cards.json`, which explicitly violates a 'CRITICAL RULE' stated in `SKILL.md` that mandates all data operations go through `api/cli.py`. This bypasses the intended secure data access layer and its validation mechanisms, creating a potential for data corruption or unexpected behavior. While the script's intent appears benign (generating a report), this direct file access against explicit instructions is a significant security oversight. Additionally, `SKILL.md` instructs the agent to 'Search the web with "ddgs"', implying external network access, which is a common AI agent capability but represents a potential vector for information gathering if misused, though no malicious intent is evident in the current instructions.
- External report
- View on VirusTotal