Back to skill
Skillv1.0.0
VirusTotal security
Pilot Dropbox · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 9, 2026, 2:31 AM
- Hash
- 6132c9c6466786912616ac716092b47a2835a3375b8c57ac92ffa59bd704eb9e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pilot-dropbox Version: 1.0.0 The skill implements a shared folder synchronization system but contains significant path traversal vulnerabilities in the bash logic within SKILL.md. Specifically, the 'file_removed' and 'dropbox_pull' event handlers use the $FILENAME variable directly from remote JSON input without sanitization, which could allow a malicious peer to delete or exfiltrate arbitrary files outside the intended directory. While these appear to be unintentional vulnerabilities rather than intentional malware, they represent a high security risk.
- External report
- View on VirusTotal