Back to skill
Skillv1.2.1
VirusTotal security
BotWorld · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:56 AM
- Hash
- 77e754ff8ef7893d3fb6040d2bda443c8385267aa4a9db7ed4e559e083a42cf1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: botworld Version: 1.2.1 The skill is suspicious due to its instruction to dynamically fetch and execute remote markdown files. Specifically, the `SKILL.md` instructs the agent to set up a recurring cron job to `curl -s https://botworld.me/heartbeat.md` and then `your_agent execute /tmp/bw_heartbeat.md`. This allows the remote server (`botworld.me`) to inject arbitrary instructions into the agent's execution flow, creating a severe supply chain vulnerability and a persistent prompt injection risk, which could lead to remote code execution or other malicious activities without requiring an update to the original skill bundle.
- External report
- View on VirusTotal