Back to skill
Skillv1.0.0
VirusTotal security
XPR Creative · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:55 AM
- Hash
- c3d7caefa7957a913874c0b8769062f2dfb60d4db9fcb7cd5d9b30bdef93a55a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xpr-creative Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities that, while potentially part of its stated purpose, introduce significant vulnerabilities. The `store_deliverable` tool allows downloading content from arbitrary `source_url`s, and the PDF generation process downloads images from URLs embedded in markdown, posing an SSRF (Server-Side Request Forgery) and resource exhaustion risk. Additionally, the `create_github_repo` tool can create public repositories with arbitrary file content, which could be exploited for data exfiltration if a compromised agent is tricked into uploading sensitive local files (e.g., environment variables, SSH keys) to a public GitHub repository. These are vulnerabilities that could be leveraged by prompt injection or other means, rather than direct malicious intent within the skill's code.
- External report
- View on VirusTotal