Back to skill
Skillv2.1.0
VirusTotal security
AI Persona Engine · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousMar 29, 2026, 9:46 PM
- Hash
- 32bad2d8057045b3b4eafd6f8fd5dc28f843efa82fcd90dfe3f8cc257a084b9e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: persona-engine Version: 2.1.0 The persona-engine skill bundle provides a robust framework for managing AI identities but contains a path traversal (ZipSlip) vulnerability in `scripts/persona-import.sh`. The import script extracts files from zip bundles without validating that the destination paths remain within the target workspace, potentially allowing a malicious bundle to overwrite sensitive files outside the intended directory. While the bundle demonstrates benign intent through features like automated API key stripping in `scripts/lib/config.py` and comprehensive documentation, the inclusion of this high-risk vulnerability necessitates a suspicious classification.
- External report
- View on VirusTotal