Back to skill
Skillv1.0.0
VirusTotal security
Repo PR Triage · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:03 AM
- Hash
- fe768e5f7355482c5c0eda916bd2fef1b49d579498239ea59912fd27115de2c2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: repo-pr-triage Version: 1.0.0 The skill bundle is suspicious due to multiple vulnerabilities. `scripts/onboard.py` is vulnerable to prompt injection, as it embeds unsanitized GitHub repository content (e.g., README, repo description) directly into the `interview-prompt.md` which is then fed to the AI agent. Similarly, `scripts/report.py` is vulnerable to markdown injection, embedding unsanitized PR titles and authors into generated markdown reports, which could lead to secondary prompt injection against the agent. Both `onboard.py` and `scan.py` also lack robust sanitization of user-provided GitHub repository URLs before passing them as arguments to the `gh` CLI, potentially leading to unexpected `gh` behavior or information disclosure.
- External report
- View on VirusTotal