Back to skill
Skillv1.0.0
VirusTotal security
Plugin Orchestration Protocol · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:57 AM
- Hash
- b7d99b9c0d8291e03a0eb734c76e38f2bacd83116fb27844a756e83e911ae911
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pop-obsidian Version: 1.0.0 The skill implements a complex JSON-RPC orchestration protocol (POP) for Obsidian via a local WebSocket bridge (ws://127.0.0.1:8088). A significant security concern is the protocol's explicit support for accessing system environment variables via '$ENV_VAR' syntax (defined in protocol-spec.md), which provides a direct path for data exfiltration if the agent is misdirected. While the bundle's stated purpose is document and research automation, the combination of environment variable access, local network communication, and the requirement for external tool execution (e.g., 'autofigure' via pip) creates a high-risk surface without clear evidence of intentional malice.
- External report
- View on VirusTotal