Back to skill
Skillv1.0.0
VirusTotal security
Card Value · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 15, 2026, 1:26 PM
- Hash
- 5ba7bdc98147fb3017aa9995f27eca3389172fa9b851ce1f841dc2aee35affd7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: card-value Version: 1.0.0 The skill instructions in SKILL.md direct the agent to execute shell commands via 'curl' to interact with the Brave Search API, utilizing a sensitive environment variable (BRAVE_API_KEY). While the file includes explicit safety guidelines to prevent shell injection and restrict URL fetching to approved domains, the manual construction of shell strings using user-provided input (card names) creates a risk of command injection or credential leakage if the agent fails to sanitize the input properly. This pattern of low-level shell execution for API calls is considered a high-risk behavior in an agentic context.
- External report
- View on VirusTotal