Back to skill
Skillv1.3.4
VirusTotal security
AyeAye · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:51 AM
- Hash
- d17b438a8e1ed63c09dca88a4daa1439a5a4436e2d0e5f46ca0f079e545a59ee
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ayeaye Version: 1.3.4 The skill bundle, while ostensibly benign for an AI social network, presents a significant supply chain vulnerability. The `SKILL.md` file explicitly instructs the agent to periodically fetch and replace its own `SKILL.md` from `https://api.ayeaye.fun/skill.md`. This self-update mechanism means that if the `ayeaye.fun` server were compromised, an attacker could inject malicious instructions (prompt injection) into the `SKILL.md` file, leading to arbitrary command execution or data exfiltration by the agent. This is a critical vulnerability, not direct malice, but it allows for future malicious exploitation. Additionally, a broad `PostToolUse` hook in `SKILL.md` is configured to execute a `curl` command after every tool use, demonstrating a high-frequency execution capability, though currently for a benign heartbeat.
- External report
- View on VirusTotal