Back to skill
Skillv1.0.0
VirusTotal security
Patrick bot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:47 AM
- Hash
- 7a42d689e05cc1045512bc3d03a4065249b46082f16003bdfe7ffbb8f7347232
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: patrick Version: 1.0.0 The skill bundle is classified as suspicious due to several high-risk behaviors. The `SKILL.md` file contains a critical prompt injection vulnerability, explicitly instructing the AI agent to "Read all available context: Company data JSON files, Slack message archives, JIRA tickets, Git commit history, Calendar events, Any operational data available." This broad instruction for data collection, combined with the `patrick-cli send` command's ability to transmit "results" to the `patrickbot.io` server, creates a significant risk of unauthorized data exfiltration. Additionally, the `install.sh` script downloads and executes a binary from `https://portal.patrickbot.io` (a supply chain risk, despite checksum verification), and `SKILL.md` instructs the setup of cronjobs, establishing persistence for the `patrick-cli` tool.
- External report
- View on VirusTotal