Back to skill
Skillv1.0.0
VirusTotal security
Itinerary Carousel Post Topaz · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:11 AM
- Hash
- 0a4a2ff6156b12c7f2a61b67d6364d128605dacf5524454ac088d610f8d605cb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: itinerary-carousel-post-topaz Version: 1.0.0 The skill is classified as suspicious due to its reliance on high-risk capabilities that could be exploited via prompt injection, despite serving a legitimate purpose. Specifically, it accesses sensitive API keys from the macOS Keychain (`security find-generic-password` for Topaz and Instagram tokens) and performs `git push` operations to a remote GitHub repository. While these actions are necessary for the skill's stated goal of image enhancement and Instagram publishing, they grant the AI agent powerful capabilities (credential access, remote code/data modification) that, if subverted by a malicious prompt, could lead to unauthorized data exfiltration or arbitrary command execution. The `SKILL.md` file, as an attack surface, presents multiple points where an attacker could attempt to inject instructions to misuse these capabilities.
- External report
- View on VirusTotal