Back to skill
Skillv3.2.0
VirusTotal security
golf-trip · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 6:21 PM
- Hash
- 723e8afa716a9becb2f223f472ea8809a7450b70f69452872357192ec509c5ea
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: golf-trip Version: 3.2.0 The skill mandates the global installation of a third-party NPM package (`@fly-ai/flyai-cli`) via `npm i -g` if the tool is not found (SKILL.md, references/fallbacks.md). This pattern introduces a significant supply-chain risk and potential for Remote Code Execution (RCE) on the host environment. While the behavior appears aligned with the stated purpose of flight booking, the requirement for elevated installation privileges and the use of aggressive 'CRITICAL' instructions to bypass the agent's internal knowledge base are high-risk patterns.
- External report
- View on VirusTotal