Back to skill
Skillv1.0.1
VirusTotal security
玄空数术·六爻占卜 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 26, 2026, 1:01 PM
- Hash
- 5509ac80b1faa4ef9d0edb61503ae40c00d80549fecd603fd043fb54f4b705e6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yao Version: 1.0.1 The skill exhibits risky behavior by instructing the agent to execute shell commands that incorporate user-provided input, specifically saving an API key to `~/.liuyao_key` via `echo`, which creates a shell injection vulnerability in `SKILL.md`. It also performs direct file system operations and uses `curl` to download remote images to `/tmp` from `https://yao.gizzap.com`. While these actions are aligned with the stated divination purpose, the use of unvalidated shell execution and broad file/network access constitutes a significant security risk.
- External report
- View on VirusTotal