Back to skill
Skillv1.0.0
VirusTotal security
Local File · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:27 AM
- Hash
- 5596b20492539f000bc8ab70a3d7f54e99b70f39a94958a04933debc24e3f435
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: local-file Version: 1.0.0 The skill provides legitimate file-reading functionality but contains a significant path traversal vulnerability in `index.js`. The path validation logic uses `startsWith` against allowed roots without first normalizing the input path, which could allow an attacker to access sensitive files outside the intended directories (e.g., using `../` sequences). Additionally, the code contains a hardcoded absolute Windows path (`D:\个人`), which is atypical for a generic skill. No evidence of intentional data exfiltration or malicious backdoors was found.
- External report
- View on VirusTotal