Back to skill
Skillv1.0.0
VirusTotal security
Agent Lifecycle · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:01 AM
- Hash
- cc60108ec77055d7d426f9b89707732a9c8c88b5d110abef4588e21e95b9f456
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: arc-agent-lifecycle Version: 1.0.0 The skill's core functionality for managing agent lifecycle, including scanning installed skills and recording state, appears benign. However, the `scripts/lifecycle.py` script is vulnerable to path traversal. User-supplied arguments for snapshot names (e.g., `--name` in `snapshot`, `--from`, `--to` in `diff`, `--to` in `rollback`) are directly used to construct file paths within the `SNAPSHOTS_DIR`. This could allow an attacker to read or write arbitrary files on the system (e.g., `snapshot --name '../../../../tmp/evil'`), depending on the agent's permissions. While the `rollback` command explicitly states it's a dry-run and doesn't implement actual changes, the path traversal vulnerability itself is a significant security flaw, classifying the skill as suspicious.
- External report
- View on VirusTotal