Back to skill
Skillv2.0.0
VirusTotal security
OC Team Builder · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:38 AM
- Hash
- dad0db57c433c043d6ac06b8dc23b23de0248858b5de2f993bfc6b58ad2ae722
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oc-team-builder Version: 2.0.0 The skill bundle implements a multi-agent orchestration system with a 'Research Lab' feature that uses autonomous experiment loops. A significant security concern exists in `scripts/experiment.sh`, which utilizes `eval` to execute strings provided via the `--run-cmd` and `--metric-cmd` arguments, creating a high risk for shell injection. Additionally, the 'autoresearch' methodology described in `references/TEAM-RESEARCH.md` and `SKILL.md` explicitly instructs the AI agent to autonomously modify and execute code (`train.py`) in a continuous loop; while this aligns with the stated purpose of the skill, the combination of `eval` and autonomous execution without strict sandboxing or input validation poses a substantial risk of remote code execution (RCE).
- External report
- View on VirusTotal