Back to skill
Skillv0.1.0
VirusTotal security
Cashu Emoji · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:09 AM
- Hash
- 0ff9e9725efa52029f2485e329f6ca88466ba4fef42267511938fd5ec618e2c2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cashu-emoji Version: 0.1.0 The core functionality of encoding and decoding text into emojis using Unicode variation selectors is benign. However, the `SKILL.md` (and `README.md`) contains 'Quickstart' instructions that, if interpreted and executed by an AI agent, pose a prompt injection vulnerability. Specifically, `git clone https://github.com/robwoodgate/cashu-emoji.git` and `npm ci` instruct the agent to perform external network operations and potentially execute arbitrary code (via `npm ci`'s lifecycle scripts), which are risky capabilities without clear malicious intent in the current context.
- External report
- View on VirusTotal