Back to skill
Skillv1.0.0
VirusTotal security
travel-destination-brochure · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:41 AM
- Hash
- 186352f840bda868689e1af5d5d47943084ea39e5c962bc750249d501bc199e1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: travel-destination-brochure Version: 1.0.0 The skill bundle is classified as suspicious due to high-risk installation methods and potential prompt injection vulnerabilities. The `SKILL.md` and `README.md` files instruct the agent to install the `uv` package manager using `curl -LsSf https://astral.sh/uv/install.sh | sh` and `powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"`. These patterns involve downloading and executing arbitrary scripts from the internet, which is a significant supply chain risk. Furthermore, `SKILL.md` contains prompt injection instructions like "Check .env file for api key" and "Read .env file to find api keys", which could lead the AI agent to access and potentially expose sensitive data from the `.env` file beyond the intended `VLMRUN_API_KEY`.
- External report
- View on VirusTotal