Back to skill
Skillv1.0.2
VirusTotal security
Google Flights Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:53 AM
- Hash
- b1be8e3985b673d4992c66c462c4f3a0c3da30d0e7fd57a229fc977aade34152
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: google-flights-search Version: 1.0.2 The skill is classified as suspicious due to several potential vulnerabilities, though without clear evidence of intentional malice. The `SKILL.md` instructions pose a prompt injection risk, as the AI agent is directed to construct arguments for other skills (e.g., `flight-price-monitor`) using data directly from external API responses, which could lead to command injection if the API response contains malicious strings and the agent does not sanitize them. Additionally, the `scripts/search_searchapi.py` file contains a potential path traversal vulnerability in its `save_log` function, where log filenames are constructed using user-controlled arguments (`--from`, `--to`), and a potential HTTP request injection vulnerability in `_resolve_booking_url` where `post_data` from an external API is used directly in an HTTP POST request body without explicit sanitization.
- External report
- View on VirusTotal