Back to skill
Skillv2.1.0
VirusTotal security
Metaso Search V2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:45 AM
- Hash
- 786dc7e115008968bfaed557bfef8a4f7c220a29e0cdce2240a6dbb1f2880b19
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: metaso-search-v2 Version: 2.1.0 The skill provides access to a third-party search API, handling API keys securely via environment variables and making network calls to hardcoded `https://metaso.cn` endpoints. However, the `metaso-api.js` file, specifically the `readWebPage` function, accepts an arbitrary `url` parameter without robust validation. This creates a potential Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability if the Metaso API (to which the URL is proxied) is susceptible to such attacks, allowing a malicious agent prompt to potentially access internal resources or local files via the Metaso service.
- External report
- View on VirusTotal