Back to skill
Skillv1.0.0
VirusTotal security
Houston Transtar Watch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:09 AM
- Hash
- b2c3d3be365a7e3a9c5347cce4c75992a88a8a8084c2851b1db9d23ac1e19f5a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: houston-transtar-watch Version: 1.0.0 The skill is suspicious due to a critical misconfiguration in `main.py`. It attempts to execute a non-existent script named `your_script.py` via `subprocess.run` using a relative path (`../../scripts/your_script.py`). This path resolution is unusual and could lead to arbitrary code execution if an attacker could place a malicious `your_script.py` in the resolved directory. Additionally, the `SKILL.md` instructs the agent to run `transtar_diff.py`, which also does not exist, while the actual functional code is in `transtar.py` (present twice, once in `scripts/` and once at the root). This combination of non-existent script execution and path ambiguity represents a significant vulnerability, even though the `transtar.py` script itself appears benign.
- External report
- View on VirusTotal