Back to skill
Skillv1.1.0
VirusTotal security
Content Repurposer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 8:24 AM
- Hash
- c9e29d39d4ef126b09d782ae0b31b39c4a9b078613f008721d20471856361199
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: content-repurposer Version: 1.1.0 The skill is classified as suspicious due to a significant prompt injection vulnerability against the underlying LLM. The shell scripts (e.g., `scripts/instagram-caption.sh`, `scripts/linkedin-post.sh`) construct LLM prompts by directly embedding values from the user's `config.json` (e.g., `voice.tone`, `user.primary_cta`) without sanitization. If an attacker could compromise or manipulate the local `config.json` file, they could inject malicious instructions into the LLM prompt, potentially leading the AI agent to perform unintended actions. While the skill itself does not exhibit malicious intent (e.g., data exfiltration, backdoors), this vulnerability allows for potential abuse if the configuration is compromised. Additionally, `repurpose.sh` uses `curl` to fetch content from arbitrary URLs, which, while necessary for its function, represents a network access capability that could be misused in a different context.
- External report
- View on VirusTotal