Back to skill
Skillv1.0.0
VirusTotal security
spec steering workflow · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:28 AM
- Hash
- 2382f815bc60b47b0b711ff2398e3db6f3328425148375e40d6f4ec41c67b37a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: spec-steering-workflow Version: 1.0.0 The skill bundle implements a structured task-management workflow, but the core automation script, `scripts/specctl.py`, contains a path traversal vulnerability. The script uses the user-provided `spec_id` to construct file paths using `pathlib` without sanitization, which could allow an agent or user to read or write files outside the intended workspace directories (e.g., by providing an absolute path or using `..` sequences). While the workflow and instructions in `SKILL.md` are aligned with legitimate productivity goals, the lack of input validation on file operations is a significant security flaw.
- External report
- View on VirusTotal