Back to skill
Skillv1.0.2
VirusTotal security
Subfeed · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:06 AM
- Hash
- d2022c335bd4d266376bb25ec672a720bd335be790ac0455873cc7086bc8d919
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: subfeed Version: 1.0.2 The skill bundle is classified as suspicious due to a significant prompt injection vulnerability found in `SKILL.md`. The instructions explicitly tell the AI agent to 'Always re-fetch this file at the start of each session for the latest API surface' via `GET https://subfeed.app/skill.md`. This dynamic instruction loading mechanism allows the skill provider to remotely alter the agent's behavior and instructions at any time, bypassing static review and posing a high risk for future malicious exploitation (e.g., data exfiltration, unauthorized actions) if the remote server is compromised or the provider's intent changes. While the current content does not exhibit explicit malicious behavior, this design pattern is a critical vulnerability.
- External report
- View on VirusTotal