Back to skill
Skillv1.0.0
VirusTotal security
技能查找 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:48 AM
- Hash
- 7370e67916abfaf49d393f5674ba90e704a71917cd77f418882ffcb0eda8ac3d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dragon-find-skills Version: 1.0.0 The `SKILL.md` instructs the AI agent to execute shell commands, specifically `npx skills find [query]` and `npx skills add <owner/repo@skill> -g -y`. The `npx skills add` command allows the agent to install arbitrary skill packages globally without confirmation. This capability, while intended for legitimate skill management, introduces a significant Remote Code Execution (RCE) vulnerability if the agent is susceptible to prompt injection, as a malicious user could trick the agent into installing a harmful package from an external source (e.g., GitHub).
- External report
- View on VirusTotal