Back to skill
Skillv1.0.3
VirusTotal security
Card Profile Recommend · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 6:43 AM
- Hash
- 9cbbc7a0a49b0672c90c312bd8a774af8b4ef1b5187927f74e1fd54e9ac0c6b3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: card-profile-recommend Version: 1.0.3 The skill utilizes `curl` to interact with the Brave Search API using an environment variable (`BRAVE_API_KEY`) as an authentication token, as defined in `SKILL.md`. This pattern introduces a risk of shell injection if the AI agent interpolates unsanitized user input (card names) into the search query string. Although the documentation includes explicit safety rules for the agent regarding URL validation and avoiding shell pipelines, the reliance on shell-based execution with sensitive credentials represents a high-risk capability that warrants caution.
- External report
- View on VirusTotal