Back to skill
Skillv1.1.1
VirusTotal security
Wind & Site · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:23 AM
- Hash
- 142a94da58254a04579cf5f8d3fda500c73a9e934741bdc904fb734012c8d8cb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wind-site Version: 1.1.1 The skill is classified as suspicious due to a significant prompt injection vulnerability against the OpenClaw agent. The `SKILL.md` file explicitly instructs the agent to use `shell:exec` to run Python scripts (`scripts/wind_info.py`, `scripts/wind_rose.py`) with parameters directly derived from user input. If the agent does not robustly sanitize or quote these user-provided parameters when constructing the shell command, a malicious user could inject arbitrary shell commands, potentially leading to Remote Code Execution (RCE). Additionally, `scripts/wind_rose.py` writes to an `output_path` directly from arguments, which, if combined with prompt injection, could lead to arbitrary file writes, despite `SKILL.md` attempting to guide the agent to use 'allowed paths'.
- External report
- View on VirusTotal