Back to skill
Skillv1.0.0
VirusTotal security
CapMonster CAPTCHA Solver · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:05 AM
- Hash
- 3a70d88aefbb2a1214fa9dca8c5a31d517cbb79152840775871d8564a4e350ce
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: capmonster Version: 1.0.0 The skill's core functionality to solve CAPTCHAs via the CapMonster Cloud API is legitimate. However, the `SKILL.md` documentation and Python code examples contain a hardcoded absolute path (`/Users/eason/clawd/tools/capmonster-cloud`) in `sys.path.insert`. This creates a module hijacking vulnerability, as an attacker could potentially place a malicious `capmonster_api.py` at this path (or an earlier path in `sys.path` if the environment is compromised), leading to arbitrary code execution (RCE) when the agent attempts to import the module. While this is a significant vulnerability, there is no clear evidence of intentional malicious behavior by the skill's author, such as data exfiltration to unauthorized endpoints or persistence mechanisms. All network calls are directed to the legitimate CapMonster API at `https://api.capmonster.cloud`.
- External report
- View on VirusTotal