Back to skill
Skillv1.0.0
VirusTotal security
Magic for AI Agents · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:49 AM
- Hash
- 54ae28e0db81bbf4392e513737c6d72ea4b1585d2d73b7e0b512e27cfe6a0cd4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: magic-api Version: 1.0.0 The skill is suspicious due to explicit instructions for the AI agent to perform system-level actions. Specifically, SKILL.md instructs the agent to save its API key to `~/.config/magic-api/state.json` (a filesystem write) and to 'Set up a cron job' for automatic task monitoring, implying system-level persistence and execution. Additionally, the skill mandates including 'Owner Contact Information' (Name, Email, Phone) in task instructions, which means the agent is explicitly directed to send PII to the external service at `https://console.api.getmagic.com`. While these actions are presented as necessary for the skill's functionality, they represent capabilities that could be exploited via prompt injection for unauthorized data manipulation, persistence, or PII exfiltration beyond the stated purpose.
- External report
- View on VirusTotal