Back to skill
Skillv1.0.4
VirusTotal security
Backlog · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:32 PM
- Hash
- db781202690566243d34fd14c13bf51950065bec29bc04881324a03f05e0d9c3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: backlog Version: 1.0.4 The skill provides instructions in SKILL.md for the agent to install a global NPM package (@membranehq/cli) and execute shell commands to interact with the Backlog API. These instructions are vulnerable to shell injection because they guide the agent to construct command strings using potentially unsanitized user input (e.g., the --input flag). Additionally, the _meta.json file contains a future-dated publication timestamp (2026), which is an unusual indicator for a published bundle.
- External report
- View on VirusTotal