Back to skill
Skillv1.0.0
VirusTotal security
SAAS Orchestrator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:03 AM
- Hash
- 8f9166ca1bd84d356f7b502d4882439bb6bb1f77a049a4e20adece039d30b7ec
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: saas-orchestrator Version: 1.0.0 The skill bundle is classified as suspicious due to significant prompt injection vulnerabilities identified in `scripts/spawn-saas-builder.py` and `scripts/spawn-saas-researcher.py`. Both scripts directly embed unsanitized command-line arguments into the generated 'task' strings, which are intended as prompts for subagents. This allows an attacker to inject arbitrary instructions into the subagent's prompt, potentially leading to unauthorized actions by the subagent. While the scripts' primary purpose is benign (generating tasks and reports), this lack of input sanitization represents a critical vulnerability.
- External report
- View on VirusTotal