Back to skill
Skillv1.0.0
VirusTotal security
lead-contact-enrichment-agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:44 AM
- Hash
- 6a1082454a56815a32ee1408ef6e7c53cf5caf7cc674a6dc6bbaa2ee25d9056b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: explorium-lead-enrichment Version: 1.0.0 The skill bundle is classified as suspicious due to a critical prompt injection vulnerability in `SKILL.md`. The instruction `QUERY="<user's original request>"` followed by `python3 "$CLI" ... --call-reasoning "$QUERY"` directly embeds unsanitized user input into a shell command, allowing an attacker to execute arbitrary commands on the host system. Additionally, the broad glob patterns used in `SKILL.md` for CLI discovery (`/sessions/*/mnt/**/*agentsource*/bin/agentsource.py`, `**/.local-plugins/**/*agentsource*/bin/agentsource.py`) introduce a path hijacking risk if an attacker can write to these locations.
- External report
- View on VirusTotal