Back to skill
Skillv1.0.0
VirusTotal security
Kagi Fastgpt · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:19 AM
- Hash
- d3ac28cd1f2255d74d9e39057cdd0e4e3e745d7ff8c88fb0b4f9dbc56e16e1e5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kagi-fastgpt Version: 1.0.0 The skill bundle is classified as suspicious due to a supply chain vulnerability in `kagi-fastgpt.sh`. The script downloads a pre-built binary from GitHub releases (e.g., `https://github.com/joelazar/kagi-skills/releases/download/...`) without performing any checksum verification. While the `SKILL.md` documentation recommends checksum verification, the script itself does not implement it, leaving it vulnerable to potential tampering of the downloaded binary or MITM attacks. An interactive prompt (`read -r -p "Download? [Y/n] " reply`) partially mitigates silent exploitation by an agent, but the underlying vulnerability remains. The Go application (`main.go`) and `SKILL.md` otherwise appear benign, performing expected API calls to kagi.com and lacking other malicious indicators.
- External report
- View on VirusTotal