Back to skill
Skillv1.0.1
VirusTotal security
Hybrid Deep Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:21 AM
- Hash
- f607d25332e5c65d461042b9bfbb05922bdd0d4115de59da258fff360953e0aa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hybrid-deep-search Version: 1.0.1 The skill is classified as suspicious due to two main reasons: 1) The `SKILL_CN.md` explicitly grants broad `Bash(*:curl)` permissions, which is a powerful tool that could be leveraged for data exfiltration or downloading malicious payloads, even though the provided Python code (`deep_search.py`) currently only mocks the actual search calls and does not directly invoke `curl`. 2) The `deep_search.py` script embeds the user's raw `query` directly into the prompt for the OpenAI Codex model, creating a prompt injection vulnerability against the LLM itself, which could lead to unintended behavior or content generation from the AI model. While there's no evidence of intentional malicious activity by the skill developer, these capabilities and vulnerabilities present significant risks.
- External report
- View on VirusTotal