Back to skill
Skillv1.0.0
VirusTotal security
External Ai Integration · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:22 AM
- Hash
- bc1a397464cdfc67fc561a0f3c8c3fb5f1227afc12bb9de2f1352739b51c02df
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: external-ai-integration Version: 1.0.0 The skill is classified as suspicious primarily due to a shell injection vulnerability present in the `SKILL.md` documentation's example `curl` command. While the core Python implementation (`external_ai_integration.py`) correctly mitigates this risk by using `subprocess.check_output` with a list of arguments and `json.dumps` for payload serialization, the instruction itself in `SKILL.md` demonstrates an insecure pattern that could be exploited if an agent were to literally interpret and execute it with unsanitized user input. Additionally, the skill involves broad capabilities for browser automation and external API calls, requiring access to sensitive API tokens (retrieved from 1Password, environment variables, or `~/.huggingface/token`), which, while necessary for its stated purpose, inherently carries elevated risk.
- External report
- View on VirusTotal