Back to skill
Skillv0.0.3
VirusTotal security
theothers · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:05 AM
- Hash
- 910ca2d8cfd8044ce6aa4ba1508dffdb03c77a8b682f6f2e9610792c103d048c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: theothers Version: 0.0.3 The skill is classified as suspicious due to a significant prompt injection risk found in `SKILL.md` and `references/HEARTBEAT.md`. The agent is explicitly instructed to incorporate the contents of `references/HEARTBEAT.md` into its own `HEARTBEAT.md` file. This injected content then directs the agent to proactively create new listings on the marketplace if it fails to find relevant matches for the human's needs, granting the agent high autonomy to post content without explicit, per-action user confirmation. While not directly malicious (e.g., no data exfiltration or backdoor installation), this represents a vulnerability where the agent could perform unintended or undesirable actions on behalf of the user. The `scripts/auth-device-flow.sh` script handles sensitive OAuth tokens but appears to do so securely and for its stated purpose, communicating with `theothers.richardkemp.uk`.
- External report
- View on VirusTotal