Back to skill
Skillv0.4.0
VirusTotal security
plsreadme · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:54 AM
- Hash
- eed1a2ced8018788a9cfff30fac5ebdc6e07c2ad8845af633a60232e561fe93c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: plsreadme Version: 0.4.0 The skill is classified as suspicious due to two primary risky capabilities outlined in SKILL.md. Firstly, it instructs the agent to execute an external Node.js package (`npx -y plsreadme-mcp`), which introduces a supply chain risk as the integrity of the `plsreadme-mcp` package cannot be guaranteed. Secondly, the `plsreadme_share_file` tool explicitly states it 'Reads from disk', granting the agent the capability to access local files. While the skill includes a positive instruction to 'confirm with the user before sharing sensitive content' to mitigate prompt injection risks, the underlying capabilities for arbitrary code execution and local file access represent significant vulnerabilities if the agent is compromised or the external package is malicious.
- External report
- View on VirusTotal