Back to skill
Skillv0.1.5
VirusTotal security
Agent Ui · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:29 AM
- Hash
- 36b24eb51e261870246b10e1de19ce0c1ec55f3fbb49fce4b169a4860ececb15
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-ui Version: 0.1.5 The skill bundle is suspicious due to its reliance on external resources and commands that fetch and execute code from third-party domains. Specifically, `SKILL.md` instructs the user to run `npx shadcn@latest add https://ui.inference.sh/r/agent.json`, which fetches and potentially executes code from `ui.inference.sh`. While this is a common pattern for component installation, it introduces a significant supply chain risk. Additionally, the skill integrates an API proxy route and requires an API key for `inference.sh` services, and allows for file uploads, which could introduce vulnerabilities if not handled securely by the integrating application. There is no direct evidence of intentional malicious behavior within the provided files, but the broad external dependencies and execution capabilities warrant a 'suspicious' classification.
- External report
- View on VirusTotal