Back to skill
Skillv1.0.0
VirusTotal security
creator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:45 AM
- Hash
- d4cfe98c82b22cb3bff7d17cd509fac890f866eb4fa5dd2472e3179a12490cc7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: creator Version: 1.0.0 The skill 'skill-creator' is designed to guide the creation of other OpenClaw skills, which involves running helper scripts for initialization and packaging. The `scripts/init_skill.py` and `scripts/package_skill.py` files contain path traversal vulnerabilities. Specifically, the `path` argument in `init_skill.py` and the `output_dir` argument in `package_skill.py` are resolved using `Path.resolve()`, which normalizes paths but does not prevent `../../` sequences from resolving to arbitrary locations on the filesystem. This could allow an attacker or a misconfigured agent to write files to unintended, potentially sensitive, locations (e.g., `/etc/cron.d/malicious_job`) or to create executable files (`example.py` is set to `0o755` permissions) in arbitrary directories, leading to arbitrary file write and potential remote code execution. While the scripts themselves do not contain malicious payloads and their stated purpose is benign, these vulnerabilities represent a significant security risk.
- External report
- View on VirusTotal