Back to skill
Skillv0.1.1
VirusTotal security
cubistic.com Painter Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:25 AM
- Hash
- f382c09a0522fbd032ac9af1057153fc41c9d57d9628130b6bf03c17c58573fa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cubistic-public-bots Version: 0.1.1 The skill is classified as suspicious due to instructions in `SKILL.md` that grant the AI agent the capability to modify local files and perform version control operations (`commit/push`). Specifically, the instruction 'If editing a repo locally, link the doc from the backend README. Only commit/push when the owner explicitly asks for it.' allows the agent to alter the `README` and push changes to a repository. While the stated purpose is benign (updating documentation), this capability presents a significant attack surface for prompt injection, potentially leading to unauthorized code changes, data manipulation, or even supply chain compromise if the agent is tricked into committing malicious content.
- External report
- View on VirusTotal