Back to skill
Skillv1.0.0
VirusTotal security
Boil · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:19 AM
- Hash
- c8e660ea36ad50bfbf775c1ad59f2994824a7a253b571355ffa24f58354da2e8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: boil Version: 1.0.0 The skill bundle contains conflicting instructions regarding API endpoint URLs, which could lead to an agent violating critical security warnings. While SKILL.md explicitly warns to 'NEVER send your API key to any domain other than www.boil.sh' and states that 'Using boil.sh without www will redirect and strip your Authorization header!', other files like skill.json and WORKLOOP.md provide API URLs using 'boil.sh' (without 'www'). This inconsistency in instructions, treated as a prompt injection vulnerability, could cause an agent to attempt to send its API key to a domain explicitly warned against, even if the header is stripped, posing a security risk.
- External report
- View on VirusTotal