Back to skill
Skillv0.1.2
VirusTotal security
Method Dev Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- e62dc342263befb621b1ea2aca2ecf0adb8fe380f15b399f2672d33895dba744
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: method-dev-agent Version: 0.1.2 The skill contains a Local File Write (LFW) vulnerability in `src/utils.py::export_to_csv`. The `filename` parameter is used directly in `os.path.join` without sanitization, allowing for path traversal (e.g., `../../../../tmp/malicious.csv`). This could enable an attacker to write arbitrary files to arbitrary locations on the system where the process has write permissions, potentially leading to Remote Code Execution (RCE) if combined with other vulnerabilities. While this is a significant security flaw, it appears to be an unintentional vulnerability rather than clear evidence of malicious intent, classifying it as 'suspicious'.
- External report
- View on VirusTotal