Back to skill
Skillv0.1.5
VirusTotal security
Talking Head Production · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:41 AM
- Hash
- 9ba60fb8e9e2f7bd966dbe9217dff760d6bdba2da022d7248ac5f19699b1d3c7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: talking-head-production Version: 0.1.5 The skill bundle is classified as suspicious due to the `curl -fsSL https://cli.inference.sh | sh` command provided in `SKILL.md` for installing the `inference.sh` CLI. While this instruction is intended for the user to set up their environment and the agent's `allowed-tools` are strictly limited to `Bash(infsh *)` (preventing the agent from executing arbitrary shell commands), the `curl | sh` method itself represents a significant supply chain vulnerability. If `cli.inference.sh` were compromised, executing this command could lead to arbitrary code execution on the user's system. There is no evidence of intentional malicious behavior or prompt injection attempts against the agent.
- External report
- View on VirusTotal