Back to skill
Skillv1.0.0
VirusTotal security
ds160-autofill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:31 AM
- Hash
- 34b0018d00a1b60dde315983f35507f1bc77a16ba8a8b7ab51172a63164629c0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ds160-autofill Version: 1.0.0 The `scripts/ds160-filler.js` file uses `page.evaluate` to inject user-provided data from the `ds160-user-info.csv` file directly into JavaScript strings for form filling without apparent sanitization. This creates a client-side code injection vulnerability (XSS-like) within the browser context, allowing a malicious user to craft a CSV with JavaScript payloads that could be executed by the agent. While this is a risky capability and a security flaw, there is no clear evidence of intentional malicious behavior by the skill author, and other aspects like file system access and network calls are aligned with the stated purpose of automating DS-160 forms on the official website (ceac.state.gov).
- External report
- View on VirusTotal