Back to skill
Skillv1.0.0
VirusTotal security
Itinerary Carousel Post · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:06 AM
- Hash
- 51aa89df5262cf09bc145ffcfac771deddd0a5f20ad56a7d17961614cbc5af7e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: itinerary-carousel-post Version: 1.0.0 The `SKILL.md` file presents significant shell injection and prompt injection vulnerabilities. User-controlled parameters like `{DESTINATION}`, `{ATTRACTION}`, and `{subject}` are directly substituted into `bash` commands (e.g., `python3 skills/instagram-photo-text-overlay/scripts/overlay.py --title "{ATTRACTION}"`) and prompts for web search/vision scoring without apparent sanitization. This could allow an attacker to execute arbitrary commands on the agent's host or manipulate the agent's behavior. While the skill's use of `git push` and `curl` to Instagram APIs is aligned with its stated purpose, the lack of input sanitization for these powerful operations makes the skill highly risky.
- External report
- View on VirusTotal