Back to skill
Skillv2.0.0
VirusTotal security
World Model · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:43 AM
- Hash
- eb9c4028b919c2537e8a1d7efb48bb74e275c4e9b7505efbd4313f00b564311f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: world-model Version: 2.0.0 The `unified_wrapper.py` file passes the `goal` parameter, which originates from the AI agent's prompt, directly to methods of the underlying `world_model.py` skill (e.g., `_original.do(goal)`). This design introduces a significant prompt injection vulnerability, as there is no apparent sanitization or validation of the `goal` string within the wrapper. If the unanalyzed `world_model.py` module were to interpret this input as executable code or commands, it could lead to remote code execution. This is a critical vulnerability that allows for potential attacks, rather than evidence of intentional malicious behavior by the skill itself.
- External report
- View on VirusTotal