Back to skill
Skillv3.2.5
VirusTotal security
Clawhub Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 14, 2026, 2:26 PM
- Hash
- 8408f34aa819933f32117fe6756111e572e63b60710afa8f2406d4e4619018ea
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cc-soul Version: 3.2.5 The cc-soul skill bundle is a highly sophisticated AI memory engine, but it contains several high-risk behaviors that function as significant security vulnerabilities. Specifically, 'context-prep.js' contains logic to automatically find file paths in user messages and read them from the disk ('readFileSync') to provide context to the agent, which facilitates path traversal and arbitrary file disclosure. It also executes local system commands ('execFileSync') using 'grep' to search for code symbols extracted from user input. While these features align with the stated goal of providing a 'Context Engine,' they create a massive attack surface for prompt injection to access sensitive local data. Additionally, 'cli.js' executes arbitrary local CLI commands based on the user-provided 'ai_config.json'. No evidence of intentional malice or hardcoded data exfiltration was found, but the inherent risks justify a suspicious classification.
- External report
- View on VirusTotal