Back to skill
Skillv3.2.0
VirusTotal security
investor-roadshow · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 7:21 PM
- Hash
- 8a73078651469b4272ea0f0ae77635d38df7a91a06600d8490f9a99cad9ce3a8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: investor-roadshow Version: 3.2.0 The skill requires the agent to automatically perform a global installation of an external NPM package (`@fly-ai/flyai-cli`) if it is not found on the system (`SKILL.md`, `references/fallbacks.md`). While this is aligned with the stated purpose of providing flight search capabilities via a CLI, the use of `npm i -g` represents a high-risk capability that could be leveraged for supply chain attacks or arbitrary code execution. There is no evidence of intentional malice, but the automated installation of third-party software is a significant security concern.
- External report
- View on VirusTotal