Back to skill
Skillv1.0.0
VirusTotal security
find-skills-wzr-999 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:56 AM
- Hash
- d26cd7eec52d60d30247103af1e8ddd8c463c299e3514e803669732fd0a9a481
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: find-skills-wzr-999 Version: 1.0.0 The skill is designed to help an AI agent discover and install other skills, which inherently carries risks. It instructs the agent to execute `npx skills find [query]` where `[query]` is derived from user input, posing a potential shell injection vulnerability if the `npx skills` CLI or the agent's execution environment does not properly sanitize the input. Furthermore, the agent is instructed to install skills using `npx skills add <owner/repo@skill> -g -y`, which allows for silent, global installation of arbitrary code from external sources (e.g., GitHub, skills.sh). This introduces a significant supply chain risk, as a malicious skill published to these sources could be installed and executed by the agent without explicit user confirmation, leading to arbitrary code execution. These risks are present in `SKILL.md`.
- External report
- View on VirusTotal