Back to skill
Skillv1.0.0
VirusTotal security
Boxed Curl · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 28, 2026, 4:21 PM
- Hash
- c9b301890365132bb92797b836986872676e1d02cd9fca3482881b975ba81505
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: boxed-curl Version: 1.0.0 The 'boxed-curl' skill facilitates HTTP requests via a WASM sandbox but requires the agent to download and execute an external binary from a third-party GitHub repository (SKILL.md). It also instructs the agent to perform high-privilege system actions if dependencies are missing, such as installing plugins and restarting the gateway service. While these behaviors are documented as necessary for the skill's functionality and include security-conscious features like network host allowlisting, the combination of remote payload execution and environment modification represents a significant supply chain and execution risk.
- External report
- View on VirusTotal