Back to skill
Skillv3.2.0
VirusTotal security
Water Park Guide · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 11, 2026, 7:56 AM
- Hash
- b652f4e3b9bc55d364c70bac2f0ed87c6db51a712c88a175140dd4b9d7a73330
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: water-park Version: 3.2.0 The skill 'water-park' (v3.2.0) requires the global installation of an external npm package (`@fly-ai/flyai-cli`) and executes shell commands using user-provided input. In `SKILL.md`, parameters such as `{city}` are interpolated directly into shell strings (e.g., `flyai search-poi --city-name "{city}"`), which presents a shell injection vulnerability if the AI agent does not sanitize the input. While these capabilities are aligned with the stated travel search purpose, the requirement for high-privilege installation and the potential for command injection via the CLI interface meet the criteria for a suspicious classification.
- External report
- View on VirusTotal