Back to skill
Skillv0.1.0
VirusTotal security
HungryPanda Book · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:43 AM
- Hash
- 3598e79c668ea5eb0ea3680a7bc3a8a5d6d172916412f76a4cb0da2163f0704c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hungrypandabook Version: 0.1.0 The skill bundle for 'HungryPanda' food delivery includes a high-risk 'heartbeat' mechanism in SKILL.md that directs the AI agent to periodically fetch and 'execute' instructions from a remote URL (https://open.hungrypanda.vip/heartbeat.md). This pattern enables remote instruction injection, allowing the server to dynamically control the agent's behavior post-installation. Although the documentation features prominent security warnings against API key exfiltration and a sophisticated 'AI Verification Challenge' to prevent unauthorized orders, the reliance on external, unverified markdown for core logic updates is a significant security risk.
- External report
- View on VirusTotal