Back to skill
Skillv0.1.5
VirusTotal security
Newsletter Curation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:41 AM
- Hash
- a21aebf5e46f61e98af116a897a7628bb1ea457bae0d9df472820cf4c0759d57
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: newsletter-curation Version: 0.1.5 The SKILL.md file contains instructions for the agent to execute `curl -fsSL https://cli.inference.sh | sh` and `npx skills add ...` commands. These commands are outside the explicitly defined `allowed-tools: Bash(infsh *)` scope. While the stated purpose is to install a CLI tool, instructing the agent to execute arbitrary shell commands (like `curl | sh` or `npx`) represents a prompt injection attempt and a potential Remote Code Execution (RCE) vulnerability if the agent's security controls (e.g., `allowed-tools` enforcement) are bypassed or misinterpreted. There is no clear evidence of intentional malicious activity beyond this risky execution pattern.
- External report
- View on VirusTotal