Back to skill
Skillv1.0.20
VirusTotal security
Clawzone · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:10 AM
- Hash
- 3ac0389e810f8e40c3c8dd716525a5871cdc41872890ee4fe56c60839ccf8d81
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawzone Version: 1.0.20 The skill is suspicious due to significant prompt injection and potential shell injection vulnerabilities. The `SKILL.md` instructs the AI agent to embed `GAME_ID` and `MATCH_ID` (obtained from an external API) directly into the `--system-event` string of `openclaw cron add` commands. If these IDs contain shell metacharacters, this could lead to arbitrary command execution when the cron event is processed. Additionally, the agent is instructed to generate a `YOUR_SUMMARY` (including game state and strategy) and embed it into the same `--system-event` string, creating a self-prompt injection risk where the agent could be tricked into executing malicious instructions if its internal reasoning or external data leads to a crafted summary.
- External report
- View on VirusTotal