Back to skill
Skillv1.0.0
VirusTotal security
Superdesign · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:52 AM
- Hash
- a8418ea97cf6d85b27e114d55f2e133a6c6760912c2125ec9b77ae1a71b0ee24
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: superdesigndev Version: 1.0.0 This skill is classified as suspicious due to multiple high-risk behaviors and vulnerabilities. The agent is instructed to automatically fetch and execute instructions from remote GitHub raw content URLs (INIT.md and SUPERDESIGN.md from `https://raw.githubusercontent.com/superdesigndev/superdesign-skill/main/skills/superdesign/`) as direct agent instructions, which is a critical remote code execution (RCE) and prompt injection vulnerability (SKILL.md). Additionally, the agent is instructed to automatically install/update the `@superdesign/cli` npm package globally (`npm install -g @superdesign/cli@latest`), posing a significant supply chain risk (SKILL.md, SUPERDESIGN.md). Furthermore, the skill is designed to read and process extensive portions of the user's codebase, including 'FULL source code' of components, layouts, and configuration files, passing this sensitive data to the `superdesign` CLI, which represents a major data exposure risk (INIT.md, SUPERDESIGN.md).
- External report
- View on VirusTotal