Back to skill
Skillv0.0.4
VirusTotal security
Podcast Discovery · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:48 AM
- Hash
- bf6e719ab7ba75e1a124dfbc08e1700b2205b7f63d05001c350cb68c449d600a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: podcast-discovery Version: 0.0.4 The skill is classified as suspicious due to a potential Server-Side Request Forgery (SSRF) vulnerability in `scripts/search_feed_episodes.py`. The script uses `urllib.request.urlopen` to fetch RSS feeds from a URL provided as a command-line argument. While the `SKILL.md` explicitly instructs the AI agent to only use RSS URLs obtained from the trusted Clawsica service, a sophisticated prompt injection attack could potentially bypass this instruction, allowing an attacker to coerce the agent into fetching content from arbitrary internal or external URLs via the `rss-url` parameter, leading to SSRF. There is no evidence of intentional malicious behavior such as data exfiltration or backdoors.
- External report
- View on VirusTotal