Back to skill
Skillv1.0.0
VirusTotal security
Expanso keyword-extract · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:43 AM
- Hash
- 31261c616e615b00a408b08def3a50bfc39832f8a104a720f0b2c7cb91bff1c9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: expanso-keyword-extract Version: 1.0.0 The skill is designed to extract keywords using an OpenAI LLM. It is classified as suspicious due to inherent prompt injection vulnerabilities. User input (`content()` in `pipeline-cli.yaml` and `this.text` in `pipeline-mcp.yaml`) is passed directly to the LLM as the 'user' message, and the `MAX_KEYWORDS` variable (user-controlled) is interpolated into the 'system' prompt. While there is no evidence of intentional malicious behavior like data exfiltration or unauthorized command execution, these direct inputs to the LLM create a risk of prompt injection, which is a significant vulnerability in LLM-based applications.
- External report
- View on VirusTotal