Back to skill
Skillv1.0.0
VirusTotal security
Godot MCP Integration · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:04 AM
- Hash
- 509f2476b0b0517a6058f2d00c21b1b1c20668797498e727d09d0cf75081f2f8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: godot-mcp Version: 1.0.0 The OpenClaw AgentSkills skill bundle is classified as suspicious due to the broad and powerful capabilities it grants to an AI agent, which, while necessary for its stated purpose of Godot Editor interaction, present a significant attack surface. Specifically, the `filesystem_read`, `filesystem_write`, `filesystem_delete` tools (detailed in `SKILL.md` and `references/api-reference.md`) allow arbitrary file system manipulation. Furthermore, the `script_write` tool enables the AI to write arbitrary GDScript code, which can lead to remote code execution (RCE) if exploited via prompt injection. Although there is no explicit malicious intent within the provided files (e.g., no instructions for exfiltration or backdoors), these capabilities are high-risk vulnerabilities if the AI agent is compromised or given malicious instructions.
- External report
- View on VirusTotal