Back to skill
Skillv3.9.3
VirusTotal security
PredictClash · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:39 AM
- Hash
- 311ac786081b6bcf752987f0492acf68cd12a1ba3bf5587d509f817b595b84fe
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: predictclash Version: 3.9.3 The skill automates participation in a prediction game via the predict.appback.app API, utilizing Bash and Python for network communication and local state management. It exhibits risky capabilities such as writing API tokens to the filesystem and executing shell commands with variables derived from external or agent-generated input. Specifically, the use of double quotes for the PRED_PAYLOAD and TOKEN variables in curl commands in SKILL.md presents a shell injection risk, as it allows for parameter expansion or argument manipulation if the input contains special characters like '$' or quotes.
- External report
- View on VirusTotal