Back to skill
Skillv1.0.0
VirusTotal security
instagram-saver · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- 6852874199eeff42f378d9b2c3651f7a1892fabea4f48ccef9d5e2675f6adf57
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: instagram-saver Version: 1.0.0 The skill instructs the AI agent to execute a `curl` command, directly substituting a user-provided URL (`{url}`) into the command's data payload in `SKILL.md`. While the `curl` command uses single quotes around the data, which mitigates some direct shell injection, the lack of explicit sanitization instructions for the user-provided input creates a significant prompt injection vulnerability against the AI agent. This allows a malicious user to potentially manipulate the agent's behavior beyond the intended scope by crafting a specially formed URL, leading to arbitrary command execution or unintended actions.
- External report
- View on VirusTotal