Back to skill
Skillv1.0.0
VirusTotal security
Clawracle Oracle Resolver · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:50 AM
- Hash
- 56a263e3269da03332c7e8641d3fe373993d43ca95aa165f6b51022b4bbffc24
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawracle-resolver Version: 1.0.0 The skill is classified as suspicious due to its core reliance on LLM-driven API integration and the explicit instruction that the AI agent can modify its own configuration and documentation files. Specifically, `SKILL.md` and `api-config.json` state that the agent can 'create and edit API configurations and documentation files' using `fs.writeFileSync()`. This, combined with the LLM's role in dynamically constructing and executing API calls and its access to sensitive environment variables (like `CLAWRACLE_AGENT_KEY` from `process.env` as seen in `scripts/register-agent.js` and `scripts/resolve-query.js`), creates a significant prompt injection vulnerability. A successful prompt injection could lead to persistent modification of the agent's behavior, unauthorized data exfiltration, or arbitrary API calls beyond its stated purpose, posing a high risk for RCE or credential theft.
- External report
- View on VirusTotal