Back to skill
Skillv1.0.3
VirusTotal security
gcal-oauth-bridge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:09 AM
- Hash
- f5256ca1b1e2129ea69e63fc135cd99f97d8ad1637296282fa35f5c3307c395b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gcal-oauth-bridge Version: 1.0.3 The skill bundle's core function is to interact with a local service via HTTP GET requests, which is benign. However, the SKILL.md file contains extensive setup instructions for this prerequisite service, including commands like `git clone`, `npm install`, `node app.js`, and `systemctl` for persistence. If an AI agent were susceptible to prompt injection and interpreted these setup instructions as commands to execute, it would pose a significant Remote Code Execution (RCE) vulnerability, making the skill suspicious due to this potential for unintended execution of powerful commands.
- External report
- View on VirusTotal