Back to skill
Skillv1.0.2
VirusTotal security
context-engineer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:20 AM
- Hash
- eba89390fa8d1705607bb3c04079510532c8b14257ac3c93b312a699cbdd0695
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: context-engineer Version: 1.0.2 The skill is classified as suspicious due to a potential arbitrary file read vulnerability. The `context.py` script's `parse_tool_definitions` function attempts to `json.load()` the file specified by the `--config` argument (defaulting to `~/.openclaw/openclaw.json`). While intended for configuration, a malicious prompt could instruct an agent to use `--config` with a sensitive file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). Although the script would likely fail to parse non-JSON files, it would still read their content, posing a risk of information disclosure. There is no evidence of intentional malicious behavior like data exfiltration or persistence, but the capability to read arbitrary files via user-controlled input is a significant vulnerability.
- External report
- View on VirusTotal