Back to skill
Skillv1.0.0
VirusTotal security
iMessage & Signal Analyzer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:16 AM
- Hash
- 9210bd9bef9e787db7a78a6ba335dc32661ebe6543fb1d674bf7bca9aecfbeb2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: imessage-signal-analyzer Version: 1.0.0 The skill is classified as suspicious due to a file path traversal vulnerability in `scripts/analyze.py`. The `analyze_signal` function takes a `json_path` argument directly from command-line input (`sys.argv[2]`) and uses `os.path.expanduser()` before opening the file. This allows an attacker to specify a path like `../../../etc/passwd` to read arbitrary files on the system, potentially exposing sensitive data. While this is a significant vulnerability, there is no clear evidence of intentional malicious behavior such as data exfiltration, persistence, or unauthorized remote control. The `SKILL.md` also contains a `sqlite3` command for AddressBook lookup that could be vulnerable to SQL injection if the AI agent's execution environment does not properly sanitize user input, but the prompt itself does not contain a malicious payload.
- External report
- View on VirusTotal