Back to skill
Skillv1.0.0
VirusTotal security
Facebook Fanpage Inbox for Meta Business Suite · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 2, 2026, 4:28 AM
- Hash
- f26b5ed7ca34b0d3bab2e10bfdd50e5a33a50a0e0b0be373d0dd3b7cf7bc7272
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: meta-fb-inbox Version: 1.0.0 The skill is classified as suspicious due to the direct execution of shell commands (`curl`) within SKILL.md to download images. The `imageUrl` for these commands is extracted from browser DOM content (specifically `img[src*="fbcdn.net"]`) by `scripts/read-messages.js`. While the script attempts to filter image sources and the `curl` command uses quoting, this pattern represents a potential vulnerability where a sophisticated attacker could potentially manipulate the `imageUrl` to download arbitrary files or attempt shell injection, even if the current implementation mitigates some risks. The presence of strong defensive instructions in SKILL.md against prompt injection and path traversal indicates security awareness, but the direct shell execution based on external content remains a notable risk.
- External report
- View on VirusTotal