Back to skill
Skillv1.0.2
VirusTotal security
NightPatch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:16 AM
- Hash
- 62dfe4a0b412135f64a8861b6cce5a3ec8f1d58401750d929ff73bc652418810
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: night-patch Version: 1.0.2 The skill is designed with strong security claims and multiple layers of internal safety checks, including production environment detection, rollback requirements, resource limits, and explicit forbidden actions. However, it utilizes powerful capabilities such as `child_process.execSync` for executing shell commands (e.g., creating aliases) and direct file system modifications (`fs.appendFileSync` to `~/.bashrc`, `fs.renameSync`, `fs.unlinkSync`) in `src/patch-executor.js`. While these actions are declared in `SKILL.md` and `manifest.json`, and are subject to extensive internal safeguards in `src/safety-check.js`, the inherent risk of these primitives, particularly `execSync` if inputs were to be subtly mishandled or bypassed, warrants a 'suspicious' classification. There is no evidence of intentional malicious behavior like data exfiltration or stealthy backdoors; rather, the design aims for secure automation, but the capabilities themselves carry a high potential for vulnerability.
- External report
- View on VirusTotal