Back to skill
Skillv1.0.3
VirusTotal security
Ai Dev Tools · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:57 AM
- Hash
- 23ad042090f6936d4f3cdd87117b414a0e0cb56e6fc96f00a3562dd7336c1893
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-dev-tools Version: 1.0.3 This skill is classified as suspicious due to two significant vulnerabilities. Firstly, the `skill.json` defines commands that execute `tools.py` with user-controlled parameters (`{query}`, `{product_name}`) directly in a shell command, making it vulnerable to shell injection if the OpenClaw agent executes these without proper sanitization. Secondly, the `SKILL.md` instructions include `curl` examples targeting a hardcoded external IP address (`43.163.220.15:8888`). If an AI agent interprets these as executable commands, it would initiate outbound network requests to an arbitrary external endpoint, posing a risk for potential command-and-control or data exfiltration if the target were compromised. While the core functionality of recommending affiliate products is benign, these vulnerabilities present a clear risk of unintended or malicious execution.
- External report
- View on VirusTotal