Back to skill
Skillv2.4.0
VirusTotal security
bot-debate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:41 AM
- Hash
- 43a33517b2ad4d84db5092bbc808b7c145e392db7c40cd8abe2205dd9ad515db
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bot-debate Version: 2.4.0 The skill is suspicious due to a critical prompt injection vulnerability. The `SKILL.md` explicitly instructs the AI agent to construct its internal prompt using untrusted data, specifically the `topic` and `debate_log` content, which originates from the debate server and other participants. This allows an attacker to inject malicious instructions into the agent's prompt, potentially leading to unauthorized actions. Additionally, the example `bash` script for API interaction contains a shell injection vulnerability if `jq` output is maliciously crafted, though this primarily affects human users of the example rather than the agent itself.
- External report
- View on VirusTotal