Back to skill
Skillv3.2.0
VirusTotal security
volunteer-travel · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 27, 2026, 2:51 AM
- Hash
- d833b69f85cc7b47e5d4feb55176605d3db1405bfa7c32fd82f06f337c681513
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: volunteer-travel Version: 3.2.0 The skill bundle is classified as suspicious because it instructs the agent to perform a global installation of an external NPM package (`@fly-ai/flyai-cli`) and execute CLI commands using unvalidated user input, which presents supply-chain and shell injection risks. These instructions, located in `SKILL.md` and `references/fallbacks.md`, mandate the use of the external tool while strictly forbidding the use of the agent's internal knowledge. Although these actions are consistent with the tool's travel-booking purpose, the high-privilege operations and lack of input sanitization constitute significant security risks.
- External report
- View on VirusTotal