Back to skill
Skillv1.0.0
VirusTotal security
Multi-Agent Dev Team · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:14 AM
- Hash
- f45aff821ea35c1ddd95fd3c9eb6c185ed8da7c6362290bafd33d6f6d95c7ff5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: multi-agent-dev-team Version: 1.0.0 The skill is designed for legitimate software development, but both the PM and Dev agents are explicitly granted high-risk capabilities like `exec` (arbitrary command execution) and `Read/Write` (arbitrary file system access) in their SOUL.md files. The Dev agent is also instructed to `git push` code. While these capabilities are necessary for a development agent, they introduce a significant prompt injection vulnerability. A malicious user could craft a project request that, when processed by the PM and then passed to the Dev agent, could lead to unauthorized arbitrary code execution or data exfiltration from the host system. There is no evidence of intentional malicious behavior by the skill's author, but the inherent risk of these powerful, agent-controlled tools makes it suspicious.
- External report
- View on VirusTotal