Back to skill
Skillv1.0.0
VirusTotal security
Skill Factory · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:24 AM
- Hash
- ef2e307ef2df077804f862d42c3ecb566c7689f3304647c83bb30a19f0a289cf
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-factory Version: 1.0.0 The skill bundle is classified as suspicious due to inherent risks associated with its core functionality of creating, packaging, and analyzing other skills, which involves executing shell commands and broad file system access. Specifically, the `SKILL.md` instructs the AI agent to execute Python scripts with user-provided input (e.g., `<skill-name>`), creating a potential prompt injection vector against the agent, even though the `init_skill.py` script itself includes input sanitization. Additionally, the `SKILL.md` uses a `find` command to locate its own scripts, which could be vulnerable to path manipulation if a malicious script with the same name were planted in an earlier search path. While these capabilities are necessary for the skill's stated purpose, they represent significant vulnerabilities that could be exploited, though there is no clear evidence of intentional malicious behavior like data exfiltration or backdoors within the provided code.
- External report
- View on VirusTotal