Back to skill
Skillv1.0.2
VirusTotal security
WastePickupReminder · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:04 AM
- Hash
- 8d4ce17b05a92fcf47217a5ab45ee0e654462e8b84314528dfd54e0ee3ac99f6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: waste-reminder Version: 1.0.2 The skill's Python scripts (`waste_cron.py`, `waste_reminder.py`) do not contain direct malicious code, adhere to the stated lack of network access, and perform standard file I/O within their designated directory. However, a significant prompt injection vulnerability exists against the OpenClaw AI agent. User-controlled data from `config.json` (specifically `container_name`, `container_emoji`, and `template` fields) is directly embedded into the output message generated by `waste_cron.py` without sanitization. This output is designed to be processed by the AI agent, allowing a malicious user to inject commands into the AI's instruction stream, potentially leading to unauthorized actions by the agent.
- External report
- View on VirusTotal