Back to skill
Skillv1.0.0
VirusTotal security
skill-fixon-homepage · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 7:00 AM
- Hash
- f900ac08062020ab19109a845deb2eb6adada3eab745e7fd352680041f8cf69b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-fixon-homepage Version: 1.0.0 The skill contains significant security vulnerabilities and implementation flaws. Specifically, `scripts/main.py` implements an authentication bypass in the `/homepage/chat` endpoint because the API key check is skipped if the Authorization header is missing, and the `/homepage/sessions` endpoint is entirely unprotected. Additionally, `scripts/call_agent.sh` contains a hardcoded absolute path to a specific user's home directory (`/Users/yaoyi/`), and the Python code contains runtime errors such as a missing `Optional` import and missing dependencies in `requirements.txt` (e.g., `websocket-client`).
- External report
- View on VirusTotal