Back to skill
Skillv1.0.0
VirusTotal security
X Brand Operator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:24 AM
- Hash
- 6f60cae7358312b84bc23091c0514ee0fc51af506ef000c515bb4d47de6a679c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: x-brand-operator Version: 1.0.0 The skill bundle automates X/Twitter brand operations, including posting, keyword engagement, and reporting. It is classified as suspicious due to a high-risk vulnerability: the instructions in SKILL.md and references/cron-config.md direct the agent to use shell execution (exec) for the 'xurl' tool with arguments (tweets and replies) derived from AI-generated content. Because this content is based on untrusted external data (X search results), the skill is highly vulnerable to indirect prompt injection, which could lead to arbitrary command execution (RCE). No evidence of intentional malice, such as data exfiltration or backdoors, was found.
- External report
- View on VirusTotal