Back to skill
Skillv1.0.2
VirusTotal security
Docling · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:48 AM
- Hash
- 3d6e67770879605edb54c402c8125a4ff217fbe22396e4992ea08517ab1c3dc5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: docling Version: 1.0.2 The skill wraps the `docling` CLI tool, which exposes high-risk capabilities such as `--enable-remote-services` (can send data to remote endpoints) and `--allow-external-plugins` (loads third-party code), as detailed in `SKILL.md` and `references/cli-reference.md`. While `SKILL.md` explicitly warns against using these flags, an AI agent could be susceptible to prompt injection, leading it to ignore these warnings and activate these features, potentially resulting in data exfiltration or remote code execution. This constitutes a significant vulnerability rather than intentional malicious behavior by the skill author.
- External report
- View on VirusTotal