Back to skill
Skillv3.5.0
VirusTotal security
tappi · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:15 AM
- Hash
- d4284d049377cde2d68fbbc97814a7a072b937f2f1e5e41f63c06a3ab034a273
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tappi Version: 3.5.0 The skill is suspicious due to its powerful capabilities that, while aligned with browser automation, present significant prompt injection risks against an AI agent. Specifically, `scripts/browser.js` implements an `eval` command allowing arbitrary JavaScript execution within the browser context, and `paste --file` and `upload` commands that can read local files. A compromised agent could be prompted to use these commands to exfiltrate sensitive browser data (e.g., cookies, local storage via `eval`) or local files (e.g., `~/.ssh/id_rsa` via `paste --file` then exfiltrated via `eval` making a network request).
- External report
- View on VirusTotal