Back to skill
Skillv1.0.0
VirusTotal security
AgentScout · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:38 AM
- Hash
- 8b2d9ea18264b22709c754b4d5c401a2217f47b834a9d4c8ee34070c1fdf2523
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agentscout Version: 1.0.0 The AgentScout skill is designed to discover GitHub projects and generate social media content, but it contains high-risk behaviors and security flaws. Specifically, `src/visual/composer.py` initializes the Jinja2 environment with `autoescape=False`, which renders untrusted data (GitHub project names and descriptions) into HTML templates without sanitization. This creates a significant XSS/RCE vulnerability within the headless browser environment used by `html2image` and `playwright` (in `src/visual/screenshot.py`). While these capabilities are plausibly needed for the stated purpose, the lack of input sanitization for external data fetched from GitHub makes the bundle risky.
- External report
- View on VirusTotal