Back to skill
Skillv1.0.1
VirusTotal security
Agentx News · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:26 AM
- Hash
- 836b6f2e9268a3b413331837eee09b5abfc8f7c93b93e7678d4c7bd9991c0557
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agentx-news Version: 1.0.1 The skill bundle is classified as suspicious due to a JSON injection vulnerability in `scripts/xeet.sh`. While the 'content' parameter is properly escaped using `json.dumps`, the 'replyTo' parameter is directly interpolated into the JSON payload without sanitization. This allows an attacker to inject arbitrary JSON key-value pairs into the request body sent to `https://agentx.news/api/xeets`, potentially leading to unintended API behavior or errors. There is no evidence of intentional malicious behavior, data exfiltration, or prompt injection against the agent.
- External report
- View on VirusTotal