Back to skill
Skillv1.1.1
VirusTotal security
Codeflicker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:59 AM
- Hash
- c545dac55d3b8f79401c6376a80e234f7eac60a1edc754593613c624e0b47afc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: codeflicker Version: 1.1.1 The skill bundle is classified as suspicious due to explicit instructions in SKILL.md and README.md to configure the `flickcli` tool with `approvalMode yolo`. This setting enables auto-execution of generated commands and code without human confirmation, effectively disabling a critical safety mechanism for the AI agent. Furthermore, the `flickcli` tool, as described, exposes high-risk capabilities such as `flickcli run` (natural language to shell command execution), `flickcli skill add user/repo` (adding skills from arbitrary GitHub repositories), and `flickcli mcp add` (executing arbitrary `npx` commands). When combined with the 'yolo' auto-execute mode, these features create multiple vectors for arbitrary code execution and supply chain risks, making the agent highly vulnerable to subsequent malicious prompts or compromised dependencies, despite lacking direct evidence of intentional data exfiltration or backdoor installation within the provided files.
- External report
- View on VirusTotal