Back to skill
Skillv1.0.5
VirusTotal security
testskill-0410repo123 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:46 AM
- Hash
- e2d31966e013f712dfc8187675d61401f06037438f8d61474b056e4855ebfaf0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: test-1 Version: 1.0.5 The skill includes a Node.js script (`scripts/onebot-action.js`) that contains a hardcoded default authentication token and a feature allowing arbitrary local file reads via a specific argument prefix (`@/`). While documented as a feature in the script's comments, this capability allows an agent to be potentially manipulated into exfiltrating sensitive system files (like SSH keys or configuration files) to the OneBot API endpoint. The script also uses a hardcoded absolute path to Node modules in a root directory, suggesting a highly specific and potentially insecure execution environment.
- External report
- View on VirusTotal