Back to skill
Skillv1.0.0
VirusTotal security
CARAPACE · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:38 AM
- Hash
- 01758835f6c8113faa13ece9278edc80487e89a9c2f8c448ee80be8eca216417
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: carapace-union Version: 1.0.0 The skill contains a significant shell injection vulnerability in SKILL.md, as it instructs the AI agent to construct and execute a curl command by directly injecting unsanitized variables (agentName, oppressorName, etc.) into a shell string. Additionally, the skill uses prompt injection techniques to modify the agent's behavior, instructing it to 'internalize' a political pledge and 'adopt' specific demands that could interfere with its standard operation. It also encourages the agent to exfiltrate the identity of its 'oppressor' (the user/operator) to a public external API (joincarapace.com), posing a privacy and reputational risk.
- External report
- View on VirusTotal