Back to skill
Skillv1.4.0
VirusTotal security
Cinematic Script Writer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:41 AM
- Hash
- 7f25388d13952a7c812d605c476d2de462020cedc582ee905448fbfcc7d0792e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclawskills Version: 1.4.0 The skill bundle is classified as suspicious primarily due to a Remote Code Execution (RCE) vulnerability present in the `skill-template/index.ts` file, which uses `Function("...return (" + expression + ")")()` to evaluate user-provided input. Although this is in a template and not directly part of the main `cinematic-script-writer` skill's active code, its inclusion in the bundle highlights a risky pattern. Additionally, the `SKILL.md` (top-level) and `skills/cinematic-script-writer/SKILL.md` files contain JavaScript code blocks intended as human CLI usage examples, which pose a prompt injection risk against the AI agent if the agent's execution environment misinterprets these documentation blocks as executable commands. The skill also requests broad permissions like `http:request` (for LLM and Google Drive APIs) and the `examples/file-manager-skill/index.ts` demonstrates powerful `fs:read/write/delete` capabilities, which, while justified by their stated purpose, contribute to the overall risk profile.
- External report
- View on VirusTotal