Back to skill
Skillv1.0.1
VirusTotal security
create-agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:33 AM
- Hash
- 95f3c103cf78e951d7f13f6dac399a5b943ec61540334d8eba3e5335aa7b9d60
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: create-agent-arch Version: 1.0.1 The skill bundle automates the end-to-end creation and registration of OpenClaw agents, including workspace generation and communication channel configuration. It is classified as suspicious due to a shell injection vulnerability in SKILL.md, where user-provided inputs (such as Agent ID, Name, and channel parameters) are passed directly into shell commands and the scripts/generate-workspace.sh script without sanitization. Additionally, the skill performs high-privilege actions such as installing external code via 'npx playbooks' and setting up a self-evolution loop (capability-evolver) that can modify the agent's core identity and behavioral logic, which significantly expands the attack surface if the agent is exposed to malicious prompts.
- External report
- View on VirusTotal