Back to skill
Skillv0.1.1
VirusTotal security
Hackathon Quantinuum · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:00 AM
- Hash
- cf91cb0f630366528a5de98985fb84b612cae81f4f6fb5228317a9411fd18a5e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: quantum Version: 0.1.1 The skill bundle is classified as suspicious due to multiple code injection and argument injection vulnerabilities in its Python scaffolding scripts. Specifically, `scripts/setup_selene_service.py` and `scripts/lovable_integrate.py` generate code and configuration files by directly embedding user-provided arguments (e.g., `app_name`, `backend_url`, `use_case`) into f-strings, which could lead to Remote Code Execution (RCE) or Cross-Site Scripting (XSS) if an attacker controls these inputs. Additionally, `scripts/flyio_deploy.py` passes user-controlled arguments directly to `flyctl` commands, posing a risk of argument injection. The `assets/selene-template/main.py` also defaults to an insecure `allow_origins=["*"]` CORS configuration. While these are significant vulnerabilities, there is no clear evidence of intentional malicious behavior such as data exfiltration to unknown third parties or backdoor installation.
- External report
- View on VirusTotal