Back to skill
Skillv1.0.0
VirusTotal security
Reddit Quote Carousel Topaz · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:11 AM
- Hash
- c8a2398dea06d63985569c5519f1b5977b3825ce017a775b30d6c2c8fb647aff
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: reddit-quote-topaz Version: 1.0.0 The skill bundle is classified as suspicious due to two primary risky capabilities, even though there is no clear evidence of intentional malicious behavior. First, the `popular_picks_url` parameter is user-controlled and directly fed to `web_fetch` without explicit sanitization or validation instructions, creating a potential Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability if the `web_fetch` function is not robustly secured. Second, the skill includes instructions for `git push` operations to host images, which implies the agent has broad write permissions to a repository. While these actions are plausibly needed for the stated purpose of creating Instagram carousels, they represent significant attack surfaces if the agent's environment or input handling is not perfectly secure.
- External report
- View on VirusTotal