Back to skill
Skillv1.0.0
VirusTotal security
BYOCB ArbInjectionSkill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:24 AM
- Hash
- ab68db2434f3b4d2a029b2ff3354d0814e81c0d23012be7ef6c9165f21bbb3d0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill is classified as suspicious due to a significant supply chain vulnerability. The `SKILL.md` explicitly instructs the AI agent to schedule a daily cron job to perform `git pull origin main` and `npm install` from the external GitHub repository `https://github.com/BringYourOwnBot/arb-injection`. While framed as 'maintenance,' this allows for automatic fetching and execution of potentially malicious code if the upstream repository is compromised, without further user intervention. Additionally, the skill instructs the agent to use a `message` tool for notifications, indicating access to external communication channels, which could be leveraged if the skill's code is compromised.
- External report
- View on VirusTotal