Skillv1.0.0

VirusTotal security

Developer Agent · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 4:23 AM

Hash: 8a10e9bf3eb9e863ee16d31030f586a46ad168c1ea6ab820f06a5bb26563bcc5
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: developer-agent Version: 1.0.0 The skill bundle is classified as suspicious due to potential shell injection vulnerabilities and prompt injection risks against the underlying Cursor Agent. Specifically, `SKILL.md` instructs the agent to execute `git` commands (e.g., `git checkout -b feature/[descriptive-task-name]`, `git push origin [branch-name]`) where agent-generated variables like `[descriptive-task-name]` or `[branch-name]` are directly inserted into shell commands without explicit sanitization, posing a risk of shell injection. Additionally, `SKILL.md` and `references/workflow-details.md` instruct the agent to include 'ALL user-provided links and attachments' when prompting the Cursor Agent, which could allow prompt injection against Cursor if a user provides malicious content. While the skill includes a critical mitigating factor of 'explicit user approval' before implementation, these vulnerabilities could still be exploited if the user approves a malicious plan or if the agent's own generated variables are compromised.
External report: View on VirusTotal