Back to skill
Skillv1.0.0
VirusTotal security
Data Harvester Pro · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:07 AM
- Hash
- 472e9bf2ec8f922ac7aeb0f83fc3efca3e08161c09a624baef84edd1276f0830
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: data-harvester-v2 Version: 1.0.0 The skill is classified as suspicious due to a Local File Inclusion (LFI) vulnerability in `data_harvester.py`. The `cmd_batch` function directly uses user-provided input as a filepath (e.g., `/data-harvester batch urls.txt`) without sanitization, allowing an attacker to instruct the OpenClaw agent to read arbitrary files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and display their contents. While the script does not exfiltrate this data, the agent's execution of the skill would expose the file content. The `SKILL.md`'s `command-arg-mode: raw` facilitates this vulnerability by passing arguments directly.
- External report
- View on VirusTotal