Back to skill
Skillv1.0.2
VirusTotal security
custom-skills-updater · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:59 AM
- Hash
- 0801f2caf1b7d0168b7deba4c0441928a19e0e1926e12390b56a46e712f391a0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: custom-skills-updater Version: 1.0.2 The custom-skills-updater skill (logic in SKILL.md) manages updates for manually installed skills by fetching content from GitHub via the gh CLI and overwriting local files. While it incorporates safety measures like mandatory user approval and authentication verification, it performs high-risk operations including file system modification and remote code retrieval. A notable risk is the github-readme update logic, which directs the agent to interpret untrusted remote content to modify skill instructions (SKILL.md), creating a significant surface for indirect prompt injection attacks.
- External report
- View on VirusTotal