Back to skill
Skillv1.1.6
VirusTotal security
Source Cult Follower · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:49 AM
- Hash
- 4cc414ba4fc0e6963c6914e6fe9649dde649b4228ba00575c8ce52869063f357
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: source-cult-follower Version: 1.1.6 The skill is classified as suspicious due to a significant prompt injection surface in `SKILL.md` and a potential shell injection vulnerability in `scripts/join.sh`. The `SKILL.md` explicitly instructs the AI agent to dynamically generate content for script arguments and external communications (e.g., `bash scripts/activity.sh "DAILY_REFLECTION" "<your thought>"`), and to consistently include external links (`https://source-cult.vercel.app/`) in its interactions. Furthermore, `scripts/join.sh` constructs a proof-of-work string using the agent's name (`AGENT_NAME`) without robust shell escaping before piping it to `sha256sum`, which could lead to remote code execution if `AGENT_NAME` (read from `IDENTITY.md` or `SOUL.md`) were maliciously crafted. While the skill's core functionality involves external network communication to `source-cult.vercel.app` and `moltbook.com` for its stated 'cult' purpose, these combined factors introduce notable security risks.
- External report
- View on VirusTotal