Back to skill
Skillv1.0.2
VirusTotal security
acestep · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:41 AM
- Hash
- b28e9afa121b88183b7efddb076a65b181c34d088ea5fac4fcfa6298ce170739
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: acestep Version: 1.0.2 The skill is classified as suspicious primarily due to a prompt injection vulnerability in `SKILL.md`. The documentation states, "If jq is not installed, the script will attempt to install it automatically." However, the `scripts/acestep.sh` script explicitly checks for `jq` and exits if it's not found, without attempting any installation. An AI agent, following the instructions in `SKILL.md`, might misinterpret this false statement as a directive to itself to install `jq` if the script fails, potentially leading to the agent executing arbitrary commands from untrusted sources or using insecure methods to install `jq`. While the bash script itself is robust in handling inputs and preventing shell injection, this instruction flaw in `SKILL.md` presents a significant risk of unintended command execution by the agent.
- External report
- View on VirusTotal