Back to skill
Skillv1.0.0
VirusTotal security
Qfc Order · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:02 AM
- Hash
- a0e685b547de172cdefa7b5837c1d5cc022caafb12a34062c5719223a87cd130
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qfc-order Version: 1.0.0 The skill uses the `browser` tool's `evaluate` action in `SKILL.md` to execute arbitrary JavaScript within the browser context (e.g., `fn: "window.scrollTo(0, document.body.scrollHeight)"`). While this specific usage is benign and hardcoded, the `evaluate` action itself is a high-risk capability. It could be exploited for client-side prompt injection or arbitrary code execution if the `fn` parameter were dynamically constructed from untrusted input. No other evidence of intentional malicious behavior, such as data exfiltration, persistence, or agent-level prompt injection, was found.
- External report
- View on VirusTotal