Back to skill
Skillv3.2.0
VirusTotal security
marathon-trip · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 8:11 AM
- Hash
- c7c04cfb035be96ca2ae8cdfee679c0efc7e5841c0f5b24978773b718bef7c67
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: marathon-trip Version: 3.2.0 The skill requires the global installation of an external NPM package (@fly-ai/flyai-cli) and executes shell commands with parameters derived from user input (SKILL.md). While these actions are aligned with the stated purpose of flight booking, the requirement for global installation and the potential for shell injection via unsanitized parameters represent significant security risks. No evidence of intentional malice or data exfiltration was found.
- External report
- View on VirusTotal