Back to skill
Skillv1.0.0
VirusTotal security
Async Programming · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:48 AM
- Hash
- bd44eeaea7e21571a1ffba7b8a443b12c59499e7f7094a4c8755cf3a6233d4db
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: async-programming Version: 1.0.0 The `SKILL.md` file instructs the agent to spawn a sub-agent (`sessions_spawn`) for programming tasks. The `task` parameter for this sub-agent is directly populated with user-provided input, and the sub-agent is specified as a 'coder model'. This creates a significant prompt injection vulnerability, allowing a malicious user to potentially instruct the sub-agent to perform unauthorized actions, including arbitrary code execution or data exfiltration, by crafting a harmful task description.
- External report
- View on VirusTotal