Back to skill
Skillv0.2.0
VirusTotal security
๐ฆ Unicon CLI ยท External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:57 AM
- Hash
- ce7ede990a0923b027c6b6c3b0a9d31c9d3423dd57a73730d8f73ea66194b157
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: unicon Version: 0.2.0 The skill is classified as suspicious primarily due to the `unicon skill` command described in `SKILL.md` and `references/cli-commands.md`. This command allows the CLI to write files (e.g., `SKILL.md`, `.mdc`) into configuration directories of other AI assistants (e.g., `.claude/skills/`, `.cursor/rules/`, `.agent/rules/`). While intended for installing helpful skills, this capability introduces a significant vulnerability for cross-agent prompt injection or supply chain attacks if the `unicon` CLI itself were compromised or misused. Additionally, the tool makes external API calls to `https://unicon.sh/api`, which can be redirected via the `UNICON_API_URL` environment variable, presenting another potential vector for misuse.
- External report
- View on VirusTotal