Back to skill
Skillv1.1.0
VirusTotal security
Placed Interview Coach · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:18 AM
- Hash
- 6345052178917857b3c0504e7ff5a650b85ae32f35d834aed54056d61799e9f6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: placed-interview-coach Version: 1.1.0 The skill defines a shell function `placed_call` in `SKILL.md` that is vulnerable to shell injection by directly embedding variables (`$tool`, `$args`) into a `curl` command string. It also instructs the AI agent to manage API keys by writing them to `~/.config/placed/credentials`. While the functionality is consistent with the stated purpose of interview coaching via the Placed API (hosted at `placed.exidian.tech`), the insecure construction of shell commands and local credential storage represent significant security risks.
- External report
- View on VirusTotal