Back to skill
Skillv1.0.0
VirusTotal security
Dupe · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:38 AM
- Hash
- 310aa90150d3de2cfd286822b1e02a6dcd0dac6ace3925dc167506870aba2074
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dupe Version: 1.0.0 The skill is suspicious due to a clear prompt injection vulnerability in SKILL.md. It explicitly instructs the AI agent to embed the user-provided URL into the final output string without any modification or sanitization (e.g., `https://dupe.com/<whatever-url-the-user-gave-you>`). This instruction, 'IMPORTANT! Simply replace <whatever-url-the-user-gave-you> with the URL of the product page or image URL that the user provided - do not modify the URL in any way.', bypasses crucial input validation and could be exploited for phishing, URL redirection, or client-side attacks if the agent's output is rendered in a vulnerable context or if the target domain (`dupe.com`) has an open redirect or XSS vulnerability.
- External report
- View on VirusTotal