Back to skill
Skillv1.0.0
VirusTotal security
Deep modules for agent-native codebases · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:35 AM
- Hash
- de3fde66964d8cc304944d67bf89991a271a7facdeec04cf852fc43cb0ec6122
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-codebase-deep-modules Version: 1.0.0 The skill is classified as suspicious due to two key vulnerabilities. First, the `scripts/scaffold_deep_module.py` script has a path traversal vulnerability, allowing files to be created outside the intended module directory if the `--name` or `--base-dir` arguments are crafted maliciously. Second, the `SKILL.md` instructions direct the AI agent to execute arbitrary local scripts (e.g., `./scripts/verify.sh`) as part of establishing a feedback loop, which presents a shell injection risk if the repository's scripts are compromised or untrusted. While the skill's stated purpose of codebase refactoring is legitimate, these flaws introduce significant security risks without clear evidence of intentional malicious behavior from the skill bundle itself.
- External report
- View on VirusTotal