Back to skill
Skillv1.6.2
VirusTotal security
Yuboto Omni API Assistant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:57 AM
- Hash
- a499e4fbafb80c38f3e921f44953a68cf8a19c0b34ba81b952ae974b7e31a6cf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yuboto-omni-api Version: 1.6.2 The skill demonstrates good security practices, such as requiring API keys via environment variables (OCTAPUSH_API_KEY), explicitly avoiding `.env` file sourcing in `scripts/poll_pending.sh`, and defaulting to privacy-preserving local state storage. However, it contains a regex injection vulnerability in `scripts/find_endpoints.py` where the search query is directly used in `re.compile()` without sanitization. Additionally, the `callback_url` parameter in `scripts/yuboto_cli.py` (passed to the external Yuboto API via `scripts/yuboto_client.py`) could be exploited for SSRF or webhook abuse if an AI agent is prompted to provide a malicious URL, as the skill does not validate this URL before passing it to the API. These are vulnerabilities that could be exploited through prompt injection against the agent, but do not indicate intentional malicious behavior by the skill developer.
- External report
- View on VirusTotal