Back to skill
Skillv1.0.0
VirusTotal security
workflow-migrate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:01 AM
- Hash
- edae7f14ee77e51bdd25ed25667310079f5ac480057369f4e7a86a9d69d90960
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: workflow-migrate Version: 1.0.0 The skill is classified as suspicious due to significant prompt injection and code generation vulnerabilities, amplified by broad permissions. The agent is instructed to generate executable Python/Node.js scripts based on user input, which presents a code injection risk. Critically, the agent is also instructed to generate a new `SKILL.md` file (Step 6), which is an agent instruction file, creating a direct prompt injection surface where malicious user input could lead to the agent executing arbitrary commands or revealing sensitive information. The `allowed-tools` include `Bash`, `Read`, `Write`, and `Edit`, providing extensive capabilities that could be abused if these vulnerabilities are exploited. There is no clear evidence of intentional malicious behavior by the skill owner, but the potential for exploitation is high.
- External report
- View on VirusTotal