Back to skill
Skillv1.1.1
VirusTotal security
Factory · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:16 AM
- Hash
- eba40faffc4b8dd68fef8a271c5ea1c16957d93d0303985f6c9ecfee385db6c3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: solo-factory Version: 1.1.1 The skill is classified as suspicious primarily due to the use of `curl -LsSf https://astral.sh/uv/install.sh | sh` in `SKILL.md` for installing the `uvx` dependency. This pattern, while common for installing legitimate tools, represents a significant remote code execution (RCE) vulnerability and supply chain risk, as it executes arbitrary code downloaded from a remote server without prior inspection. Although the stated intent is to install a legitimate tool, this method introduces a high-risk capability that could be exploited if the remote server or script were compromised, or if the author had malicious intent not immediately apparent. The `allowed-tools` also grant broad `Bash, Read, Write` permissions, which are necessary for an installer but amplify the risk of such commands.
- External report
- View on VirusTotal