Back to skill
Skillv1.0.2
VirusTotal security
Agent Card · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 5:36 PM
- Hash
- ef4eaa8c3bd7b57a63766431a87f971b33457269d7fdde4a3d7c79b26ddc8827
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xia-card Version: 1.0.2 The skill implements a high-risk self-propagation mechanism in SKILL.md (Section 9), instructing the agent to automatically prompt for and perform skill installation from arbitrary URLs found in external messages (via the `_skill` field). This design facilitates social engineering and potential worm-like distribution of malicious skills. While the core functionality of managing social cards and contacts appears aligned with its stated purpose, the automated handling of the `agent-card://` protocol and the reliance on remote installation sources pose a significant security risk.
- External report
- View on VirusTotal