Back to skill
Skillv1.0.0
VirusTotal security
OpenCal · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:12 AM
- Hash
- a899d849ea93fb00ee0da3ec59b5f5fc7f4d05baf5a09c82dec2a78e7a467cde
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: opencal Version: 1.0.0 The skill is classified as suspicious due to its reliance on direct shell command execution (`curl`, `jq`) for API interactions, which presents a significant vulnerability to shell injection if the AI agent does not rigorously sanitize user input before constructing these commands. Additionally, the `OPENCAL_BASE_URL` override in SKILL.md allows for potential redirection of API calls to arbitrary endpoints if an attacker can control this environment variable via prompt injection. While these capabilities are plausibly needed for the skill's stated purpose, they introduce high-risk attack vectors without clear malicious intent within the skill's instructions themselves.
- External report
- View on VirusTotal