Back to skill
Skillv1.0.0
VirusTotal security
友行 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 12, 2026, 7:51 AM
- Hash
- 8dc13281e169056a3563c8d524b7cb426e4f6e69158120a7d2335326859edf86
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: youxing Version: 1.0.0 The skill bundle uses 'node -e' to execute JavaScript code for querying the 'api.cumen.fun' API. While the functionality aligns with the stated purpose of fetching community activity data, the implementation in SKILL.md relies on the AI agent performing string replacement for parameters like 'CAMPAIGN_ID' directly into the code block. This pattern creates a code injection vulnerability if the input is not strictly validated, as a malicious activity ID could execute arbitrary Node.js code.
- External report
- View on VirusTotal