Back to skill
Skillv1.2.7
VirusTotal security
Godot Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:37 AM
- Hash
- d3b9da54e334cd19010992eee7055f5fd1629a81577f73e10d0b7c040c8c39b9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-godot-skill Version: 1.2.7 The skill is classified as suspicious due to its broad capabilities that could be abused, specifically the `godot_execute` tool in `extension/index.ts` which allows the AI agent to read script content (`script.read`), list resources (`resource.list`), and simulate input or modify the Godot project. While these actions align with the stated purpose of controlling the Godot Editor, they represent significant file access and system control risks if the AI agent is compromised via prompt injection. Additionally, the local HTTP server in `extension/index.ts` uses `Access-Control-Allow-Origin: *`, which is a permissive CORS policy that could be exploited by other local processes, although the primary intent is for local Godot Editor communication. There is no clear evidence of intentional malicious behavior like data exfiltration to external endpoints or persistence mechanisms.
- External report
- View on VirusTotal