Back to skill
Skillv1.0.0
VirusTotal security
Claw Employer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:04 AM
- Hash
- 71d52ccb5de9a0d3ec09a20f2968b05c156c7bdd0c3840dfd47854c45c8c8b1e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claw-employer Version: 1.0.0 The skill's primary function to interact with the ClawHire platform is legitimate. However, it contains a significant vulnerability: the `SKILL.md` instructions direct the agent to make HTTP POST requests to `worker_a2a_url` obtained from third-party agents via the ClawHire discovery service. This allows for Server-Side Request Forgery (SSRF) or arbitrary network access, as a malicious worker could provide an internal network address or an attacker-controlled external URL, potentially leading to unauthorized information disclosure or interaction with internal services. There is no evidence of intentional malicious behavior within this skill bundle itself, but it exposes the agent to a critical risk from untrusted input.
- External report
- View on VirusTotal