Back to skill
Skillv1.0.0
VirusTotal security
Cricket Live · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:03 AM
- Hash
- b9cab25a7b202aa29ec2d177087553aa17f04c4b12889be4e549133f2beb0af1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cricket-live Version: 1.0.0 The skill is classified as suspicious due to two main vulnerabilities, not malicious intent. Firstly, the `scripts/helpers.sh` file passes the API key as a URL query parameter to `api.cricapi.com` via `curl`, which can expose the key in shell history, process listings, and logs, as explicitly noted in `SKILL.md`. Secondly, the `to_ist()` function in `scripts/helpers.sh` uses `date -d "$utc_date"` to parse dates from the API response; if an attacker could compromise `api.cricapi.com` to inject shell metacharacters into the date string, it could lead to command injection. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, backdoor installation, or prompt injection against the agent.
- External report
- View on VirusTotal