Back to skill
Skillv1.0.0
VirusTotal security
AI-review · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:35 AM
- Hash
- 51ac1342719c1baa22e304e5e33d0ccb54a8caeb5073e94237b820e2695c08ad
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-review Version: 1.0.0 The skill is classified as suspicious due to critical vulnerabilities in its content reading mechanisms defined in `SKILL.md`. Specifically, the skill instructs the agent to use the `shell` tool to process PDF URLs via `curl` and `pdftotext`, creating a severe shell injection vulnerability that could lead to Remote Code Execution (RCE) if the user-provided URL is not sanitized. Additionally, it uses the `file` tool to read local `.md` or `.txt` files, which is vulnerable to Local File Inclusion (LFI) if user-provided file paths are not sanitized. While these capabilities are highly risky, there is no explicit evidence of intentional malicious behavior within the skill bundle itself, classifying it as a vulnerable utility rather than malware.
- External report
- View on VirusTotal